Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/12/2024, 14:25
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Client.exe
-
Size
48KB
-
MD5
77ca225fb7c84aad1e8ee9ead0110b4c
-
SHA1
b26e40f8e945f4db6621d7ca5a575a84c0565f91
-
SHA256
716b12fa63c467b57e24182ae3af25b738fc589f3f4f0aa5c516190f3eefbf00
-
SHA512
e8f2138cd82714ba58a30d9b48c7e61a6c42b17db297c332e078db544575404382ccf16dbd5bd0aced9342186b05b65a1da0426062b10729a40123a5887e3bbb
-
SSDEEP
768:ywpRILv+sx+LiEtelDSN+iV08YbygeYslsoo7RSYFr0bvEgK/JfZVc6KN:ywcpEtKDs4zb10rqjF4nkJfZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
127.0.0.1:59953
fojeweb571-59953.portmap.host:8848
fojeweb571-59953.portmap.host:59953
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
windows defender firewall required.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral3/files/0x001e00000002aabf-10.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 4240 windows defender firewall required.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3536 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2072 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe 2012 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2012 Client.exe Token: SeDebugPrivilege 4240 windows defender firewall required.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2012 wrote to memory of 4228 2012 Client.exe 77 PID 2012 wrote to memory of 4228 2012 Client.exe 77 PID 2012 wrote to memory of 4504 2012 Client.exe 79 PID 2012 wrote to memory of 4504 2012 Client.exe 79 PID 4228 wrote to memory of 2072 4228 cmd.exe 81 PID 4228 wrote to memory of 2072 4228 cmd.exe 81 PID 4504 wrote to memory of 3536 4504 cmd.exe 82 PID 4504 wrote to memory of 3536 4504 cmd.exe 82 PID 4504 wrote to memory of 4240 4504 cmd.exe 83 PID 4504 wrote to memory of 4240 4504 cmd.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3536
-
-
C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD519365438f5059b2d6c35033cb7fabad0
SHA1348e684f63a41cd5cc18bea2e9a989f540a41344
SHA256329000d62aa6eac4719692f42d08697bc0273563cc3dcef494f5908d8d1ac36d
SHA51238184735cd75d1c39b9d8c4953e6f096ac8d1fc3d7177356d9017c377c7ce6d4d8611a77784640f0dd9947a46d6e30415874437712cc386b2ef7336a792cb4d1
-
Filesize
48KB
MD577ca225fb7c84aad1e8ee9ead0110b4c
SHA1b26e40f8e945f4db6621d7ca5a575a84c0565f91
SHA256716b12fa63c467b57e24182ae3af25b738fc589f3f4f0aa5c516190f3eefbf00
SHA512e8f2138cd82714ba58a30d9b48c7e61a6c42b17db297c332e078db544575404382ccf16dbd5bd0aced9342186b05b65a1da0426062b10729a40123a5887e3bbb