Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 00:10
Behavioral task
behavioral1
Sample
latencyx.exe
Resource
win7-20240903-en
General
-
Target
latencyx.exe
-
Size
45KB
-
MD5
f4c46528fb0b51636d9c5860e0e4048e
-
SHA1
76c0d55950b8e8995f0cc75d35f620f39d13ae1b
-
SHA256
2ac2e1571a16168fb4ca930eb4b1a27fdbbff15f87384c13565f44fc22c4a8c7
-
SHA512
aa6f1833ff1367bf938c2d52227707fb64c6ceaa5acbffd879150b094fc5a6b163e777ddbb7cc6cb33c3c15ec61ae7dbfc8c6462cf574bff43c88bf207fc80b9
-
SSDEEP
768:GuEs9THvkHCWU0neImo2q88maPol53APIkzjb+gX3i90yHCFB/JkAX1kBDZSx:GuEs9THc72cfob3lk3bBXS908CFnkAXh
Malware Config
Extracted
asyncrat
0.5.8
Default
t1euvzy.localto.net:2171
t1euvzy.localto.net:55065
ZpDC6oZwIVKp
-
delay
3
-
install
false
-
install_file
dwmm.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Deletes itself 1 IoCs
pid Process 1728 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language latencyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2988 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2008 latencyx.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1728 2008 latencyx.exe 32 PID 2008 wrote to memory of 1728 2008 latencyx.exe 32 PID 2008 wrote to memory of 1728 2008 latencyx.exe 32 PID 2008 wrote to memory of 1728 2008 latencyx.exe 32 PID 1728 wrote to memory of 2988 1728 cmd.exe 34 PID 1728 wrote to memory of 2988 1728 cmd.exe 34 PID 1728 wrote to memory of 2988 1728 cmd.exe 34 PID 1728 wrote to memory of 2988 1728 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\latencyx.exe"C:\Users\Admin\AppData\Local\Temp\latencyx.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCFF4.tmp.bat""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
160B
MD5bdcc475b8a9c0e645747339c534e9cf8
SHA1414a566813ed2c90a8e7799536069089a892a962
SHA256165ac5ded592e2458d87a2d074443af520ba7b0612c1ef372cc014574915affd
SHA512c1d27f439328b4ea4c63d0cf7e8980db29c6021d04d9df8f9af19ca4e0786ea34241f38d0c6712a8c3b6f78eacc96c627fa30f7a085228efb563030e878ab2bf