Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

c759cde09c...27.exe

windows7-x64

10

c759cde09c...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14/12/2024, 13:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c759cde09cf057c2430ceb74bd7f15427d2ad27f0b77dcc8630c8a148486cf27.exe

  • Size

    45KB

  • MD5

    05b54deb0e3e6a3fb9155a14642b50ba

  • SHA1

    77bf6744502a5946861baf104c1cf4babc171b9c

  • SHA256

    c759cde09cf057c2430ceb74bd7f15427d2ad27f0b77dcc8630c8a148486cf27

  • SHA512

    3668e77850acfb0c42f1d15de08fcd737f0c6d7087f25f6404b1f378aea94ca34ab0d85f2bea1c8a9d11692a039d0fa42aeec4876bb802ae2c192608e5bc5a9b

  • SSDEEP

    768:6uKQ9TH4EjZWUR/ejmo2qrYKjPGaG6PIyzjbFgX3i6cpxs298YBDZTx:6uKQ9THfe2BKTkDy3bCXSpF9LdTx

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028
Mutex

lmk8StbxTzvz

Attributes
  • delay

    3

  • install

    true

  • install_file

    Discord.exe

  • install_folder

    %AppData%

aes.plain
1
ED967YbI73q9hV0VBBGFdB9jsiDpLn8g

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c759cde09cf057c2430ceb74bd7f15427d2ad27f0b77dcc8630c8a148486cf27.exe
    "C:\Users\Admin\AppData\Local\Temp\c759cde09cf057c2430ceb74bd7f15427d2ad27f0b77dcc8630c8a148486cf27.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8FB2.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2812
      • C:\Users\Admin\AppData\Roaming\Discord.exe
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2960

Network

  • flag-us
    DNS
    18.ip.gl.ply.gg
    Discord.exe
    Remote address:
    8.8.8.8:53
    Request
    18.ip.gl.ply.gg
    IN A
    Response
    18.ip.gl.ply.gg
    IN A
    147.185.221.18
  • 10.127.1.47:9028
    Discord.exe
  • 147.185.221.18:6606
    18.ip.gl.ply.gg
    Discord.exe
    152 B
     3
  • 147.185.221.18:6606
    18.ip.gl.ply.gg
    Discord.exe
    152 B
     3
  • 147.185.221.18:6606
    18.ip.gl.ply.gg
    Discord.exe
    152 B
     3
  • 147.185.221.18:7707
    18.ip.gl.ply.gg
    Discord.exe
    152 B
     3
  • 147.185.221.18:7707
    18.ip.gl.ply.gg
    Discord.exe
    152 B
     3
  • 147.185.221.18:7707
    18.ip.gl.ply.gg
    Discord.exe
    52 B
     1
  • 8.8.8.8:53
    18.ip.gl.ply.gg
    dns
    Discord.exe
    61 B
     77 B
     1
    1

    DNS Request

    18.ip.gl.ply.gg

    DNS Response

    147.185.221.18

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8FB2.tmp.bat
    Filesize

    151B

    MD5

    e5f9f0ea395ab5c1d6743112c7cc011b

    SHA1

    b4c0d9de536201a6921a25c1fbdfc969eb39935b

    SHA256

    d2943ebae840cd5cb5e497ff6f5aa4192ab9a95cd8997887b429cb1d35b1f433

    SHA512

    22bde60468452d55a2c777325586fc4a67005eebeb3ad1068c3ac4e6dfe92ee959656e687e761be52789a8b673d5b8f75b174c68eb8eaef3e1e4dd1785e0aab7

    Download Submit

  • \Users\Admin\AppData\Roaming\Discord.exe
    Filesize

    45KB

    MD5

    05b54deb0e3e6a3fb9155a14642b50ba

    SHA1

    77bf6744502a5946861baf104c1cf4babc171b9c

    SHA256

    c759cde09cf057c2430ceb74bd7f15427d2ad27f0b77dcc8630c8a148486cf27

    SHA512

    3668e77850acfb0c42f1d15de08fcd737f0c6d7087f25f6404b1f378aea94ca34ab0d85f2bea1c8a9d11692a039d0fa42aeec4876bb802ae2c192608e5bc5a9b

    Download Submit

  • memory/2744-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-1-0x0000000001360000-0x0000000001372000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2744-2-0x00000000741F0000-0x00000000748DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2744-11-0x00000000741F0000-0x00000000748DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2960-16-0x0000000000C90000-0x0000000000CA2000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.