Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1793s
  • max time network
    1780s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/12/2024, 19:52

General

  • Target

    crackers.exe

  • Size

    47KB

  • MD5

    c293f3aa9309bdbbea7ce7b82c555e8e

  • SHA1

    69d4edbf51feb07fa5a87eae76418b40de34f72c

  • SHA256

    d61d9974e73631319c87de439a9a018488795e1d31f12a29092a1a90113f0fb0

  • SHA512

    d77b24dafe769fd9ba7bf52a6847ccb217c7e4d3af6adf1837cfcfb151c02acc02cc4ae046e4498f39209c083c188b41ae3d57cda427afbd0ece1d446c11396d

  • SSDEEP

    768:Eu4X9TskvpDWUPlNxmo2qbxLwhRLQ2XyytPIzx4jMZ0bpKRP4tgmcZbKBDZ8x:Eu4X9Tswb2BRL9Xy3zmjMebpKN4th9d+

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:1194

193.161.193.99:1194

Mutex

PX50IrcSQ5Gg

Attributes
  • delay

    3

  • install

    true

  • install_file

    crackers.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\crackers.exe
    "C:\Users\Admin\AppData\Local\Temp\crackers.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crackers" /tr '"C:\Users\Admin\AppData\Roaming\crackers.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "crackers" /tr '"C:\Users\Admin\AppData\Roaming\crackers.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA018.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4124
      • C:\Users\Admin\AppData\Roaming\crackers.exe
        "C:\Users\Admin\AppData\Roaming\crackers.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crackers.exe.log

    Filesize

    522B

    MD5

    db9f45365506c49961bfaf3be1475ad2

    SHA1

    6bd7222f7b7e3e9685207cb285091c92728168e4

    SHA256

    3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

    SHA512

    807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

  • C:\Users\Admin\AppData\Local\Temp\tmpA018.tmp.bat

    Filesize

    152B

    MD5

    92a3847316b6c06c5898e8afd2f17340

    SHA1

    a856061b4bd90152d86e1ec655898b97fb61f27e

    SHA256

    ad2526ce8c3fa16159677628689b04eb37a03c9cdb47d646af3cbf15782a4dd1

    SHA512

    2899fe7c66bc172f654dddafd8374c4ea575fc9f0b8efa5ef86fc34e6f371a14c48c3b1c62bffc03d5e341745e5e6721b2f525ba52f85ecc918d14e1a35fc677

  • C:\Users\Admin\AppData\Roaming\crackers.exe

    Filesize

    47KB

    MD5

    c293f3aa9309bdbbea7ce7b82c555e8e

    SHA1

    69d4edbf51feb07fa5a87eae76418b40de34f72c

    SHA256

    d61d9974e73631319c87de439a9a018488795e1d31f12a29092a1a90113f0fb0

    SHA512

    d77b24dafe769fd9ba7bf52a6847ccb217c7e4d3af6adf1837cfcfb151c02acc02cc4ae046e4498f39209c083c188b41ae3d57cda427afbd0ece1d446c11396d

  • memory/704-14-0x00000000744B0000-0x0000000074C61000-memory.dmp

    Filesize

    7.7MB

  • memory/704-15-0x00000000744B0000-0x0000000074C61000-memory.dmp

    Filesize

    7.7MB

  • memory/2576-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

    Filesize

    4KB

  • memory/2576-1-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

    Filesize

    72KB

  • memory/2576-2-0x00000000744B0000-0x0000000074C61000-memory.dmp

    Filesize

    7.7MB

  • memory/2576-3-0x00000000056D0000-0x000000000576C000-memory.dmp

    Filesize

    624KB

  • memory/2576-8-0x00000000744B0000-0x0000000074C61000-memory.dmp

    Filesize

    7.7MB