Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
07/12/2024, 14:25
General
-
Target
Client.exe
-
Size
48KB
-
MD5
77ca225fb7c84aad1e8ee9ead0110b4c
-
SHA1
b26e40f8e945f4db6621d7ca5a575a84c0565f91
-
SHA256
716b12fa63c467b57e24182ae3af25b738fc589f3f4f0aa5c516190f3eefbf00
-
SHA512
e8f2138cd82714ba58a30d9b48c7e61a6c42b17db297c332e078db544575404382ccf16dbd5bd0aced9342186b05b65a1da0426062b10729a40123a5887e3bbb
-
SSDEEP
768:ywpRILv+sx+LiEtelDSN+iV08YbygeYslsoo7RSYFr0bvEgK/JfZVc6KN:ywcpEtKDs4zb10rqjF4nkJfZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
127.0.0.1:59953
fojeweb571-59953.portmap.host:8848
fojeweb571-59953.portmap.host:59953
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
windows defender firewall required.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD519365438f5059b2d6c35033cb7fabad0
SHA1348e684f63a41cd5cc18bea2e9a989f540a41344
SHA256329000d62aa6eac4719692f42d08697bc0273563cc3dcef494f5908d8d1ac36d
SHA51238184735cd75d1c39b9d8c4953e6f096ac8d1fc3d7177356d9017c377c7ce6d4d8611a77784640f0dd9947a46d6e30415874437712cc386b2ef7336a792cb4d1
-
Filesize
48KB
MD577ca225fb7c84aad1e8ee9ead0110b4c
SHA1b26e40f8e945f4db6621d7ca5a575a84c0565f91
SHA256716b12fa63c467b57e24182ae3af25b738fc589f3f4f0aa5c516190f3eefbf00
SHA512e8f2138cd82714ba58a30d9b48c7e61a6c42b17db297c332e078db544575404382ccf16dbd5bd0aced9342186b05b65a1da0426062b10729a40123a5887e3bbb
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
10.8MB