Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1793s -
max time network
1780s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/12/2024, 19:52
General
-
Target
crackers.exe
-
Size
47KB
-
MD5
c293f3aa9309bdbbea7ce7b82c555e8e
-
SHA1
69d4edbf51feb07fa5a87eae76418b40de34f72c
-
SHA256
d61d9974e73631319c87de439a9a018488795e1d31f12a29092a1a90113f0fb0
-
SHA512
d77b24dafe769fd9ba7bf52a6847ccb217c7e4d3af6adf1837cfcfb151c02acc02cc4ae046e4498f39209c083c188b41ae3d57cda427afbd0ece1d446c11396d
-
SSDEEP
768:Eu4X9TskvpDWUPlNxmo2qbxLwhRLQ2XyytPIzx4jMZ0bpKRP4tgmcZbKBDZ8x:Eu4X9Tswb2BRL9Xy3zmjMebpKN4th9d+
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:1194
193.161.193.99:1194
PX50IrcSQ5Gg
-
delay
3
-
install
true
-
install_file
crackers.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x001f00000002aaff-11.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 704 crackers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crackers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crackers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4124 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe 2576 crackers.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2576 crackers.exe Token: SeDebugPrivilege 704 crackers.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2576 wrote to memory of 4980 2576 crackers.exe 77 PID 2576 wrote to memory of 4980 2576 crackers.exe 77 PID 2576 wrote to memory of 4980 2576 crackers.exe 77 PID 2576 wrote to memory of 788 2576 crackers.exe 79 PID 2576 wrote to memory of 788 2576 crackers.exe 79 PID 2576 wrote to memory of 788 2576 crackers.exe 79 PID 788 wrote to memory of 4124 788 cmd.exe 81 PID 788 wrote to memory of 4124 788 cmd.exe 81 PID 788 wrote to memory of 4124 788 cmd.exe 81 PID 4980 wrote to memory of 3368 4980 cmd.exe 82 PID 4980 wrote to memory of 3368 4980 cmd.exe 82 PID 4980 wrote to memory of 3368 4980 cmd.exe 82 PID 788 wrote to memory of 704 788 cmd.exe 83 PID 788 wrote to memory of 704 788 cmd.exe 83 PID 788 wrote to memory of 704 788 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\crackers.exe"C:\Users\Admin\AppData\Local\Temp\crackers.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crackers" /tr '"C:\Users\Admin\AppData\Roaming\crackers.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "crackers" /tr '"C:\Users\Admin\AppData\Roaming\crackers.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA018.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4124
-
-
C:\Users\Admin\AppData\Roaming\crackers.exe"C:\Users\Admin\AppData\Roaming\crackers.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD5db9f45365506c49961bfaf3be1475ad2
SHA16bd7222f7b7e3e9685207cb285091c92728168e4
SHA2563a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a
SHA512807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41
-
Filesize
152B
MD592a3847316b6c06c5898e8afd2f17340
SHA1a856061b4bd90152d86e1ec655898b97fb61f27e
SHA256ad2526ce8c3fa16159677628689b04eb37a03c9cdb47d646af3cbf15782a4dd1
SHA5122899fe7c66bc172f654dddafd8374c4ea575fc9f0b8efa5ef86fc34e6f371a14c48c3b1c62bffc03d5e341745e5e6721b2f525ba52f85ecc918d14e1a35fc677
-
Filesize
47KB
MD5c293f3aa9309bdbbea7ce7b82c555e8e
SHA169d4edbf51feb07fa5a87eae76418b40de34f72c
SHA256d61d9974e73631319c87de439a9a018488795e1d31f12a29092a1a90113f0fb0
SHA512d77b24dafe769fd9ba7bf52a6847ccb217c7e4d3af6adf1837cfcfb151c02acc02cc4ae046e4498f39209c083c188b41ae3d57cda427afbd0ece1d446c11396d