Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/12/2024, 14:28
General
-
Target
2.exe
-
Size
48KB
-
MD5
fc404d7ffa67d7063a0b48b8e99754f6
-
SHA1
b7f169201014c940e36adbfcefaf9e3c144ff91a
-
SHA256
55656f594bc657fc544f4d03282bd1e69e15386e04b7c3be3508df8cd6316deb
-
SHA512
cd9866eef2226d4c23c3a3740bb266ba7b6e3a8370758fe0e5442896f10972bd3b875b251a50b2b2b9a03cdc85ba63ac306593583f45cde869dd660921964f1f
-
SSDEEP
768:yX6P3UIL2C6L+DiLI7Vf2ki668YbHgeDc2vEgK/JLZVc6KN:yX6PwjkoxzbAUHnkJLZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
127.0.0.1:59953
fojeweb571-59953.portmap.host:8848
fojeweb571-59953.portmap.host:59953
DcRatMutex_qwqdanchunxin
-
delay
1
-
install
true
-
install_file
windows defender firewall required.exe
-
install_folder
%Temp%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x001c00000002ab59-10.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 544 windows defender firewall required.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1140 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 2940 2.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4144 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2940 2.exe Token: SeDebugPrivilege 544 windows defender firewall required.exe Token: SeDebugPrivilege 4144 taskmgr.exe Token: SeSystemProfilePrivilege 4144 taskmgr.exe Token: SeCreateGlobalPrivilege 4144 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe 4144 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2940 wrote to memory of 844 2940 2.exe 77 PID 2940 wrote to memory of 844 2940 2.exe 77 PID 2940 wrote to memory of 4944 2940 2.exe 78 PID 2940 wrote to memory of 4944 2940 2.exe 78 PID 4944 wrote to memory of 1140 4944 cmd.exe 81 PID 4944 wrote to memory of 1140 4944 cmd.exe 81 PID 844 wrote to memory of 492 844 cmd.exe 82 PID 844 wrote to memory of 492 844 cmd.exe 82 PID 4944 wrote to memory of 544 4944 cmd.exe 83 PID 4944 wrote to memory of 544 4944 cmd.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAC7.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD5ce64ac59bccf3b87e7665beb8e51f664
SHA197661589987012b25bfc8b3ee79faa66a9f93daf
SHA2560e7c841c446cdee75f8b3b11e41297d21982101fcc6b25027c383ca145ae25be
SHA51289072cbb712c63e0b6fb3101c4f8b8e2b19174f2ae52ba710431ac4a47fe5224c2775dc95de874420a101fbc6147f160257f604ff80fd0ea9083c9839cd7c45c
-
Filesize
48KB
MD5fc404d7ffa67d7063a0b48b8e99754f6
SHA1b7f169201014c940e36adbfcefaf9e3c144ff91a
SHA25655656f594bc657fc544f4d03282bd1e69e15386e04b7c3be3508df8cd6316deb
SHA512cd9866eef2226d4c23c3a3740bb266ba7b6e3a8370758fe0e5442896f10972bd3b875b251a50b2b2b9a03cdc85ba63ac306593583f45cde869dd660921964f1f