Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/12/2024, 04:11 UTC

General

  • Target

    a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe

  • Size

    51KB

  • MD5

    7bc2e6b25bfafe16708196e844dc1476

  • SHA1

    4689ebd58df0eaa8f21191f1e0aae0259a2a7497

  • SHA256

    a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06

  • SHA512

    aef4619973c3d71ce6eda4f4c1d4be2dcd88fceaf48bf2b4efde7c762d3ac45a3d4900b33aea04dfbd40079a279efd7ea2505056f0828cdb364ee478627e9e6a

  • SSDEEP

    1536:Wuir1TUKP2nwcvaOgnQtobdZ/CyiUdF2:WuiJTUKP2rS3n5bd/j2

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

8TdjLZxCzOjI

Attributes
  • delay

    3

  • install

    true

  • install_file

    client.exe

  • install_folder

    %AppData%

aes.plain
1
WotDkD357mdSJphDs1hGXNkk9s25MyFR

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe
    "C:\Users\Admin\AppData\Local\Temp\a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "client" /tr '"C:\Users\Admin\AppData\Roaming\client.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "client" /tr '"C:\Users\Admin\AppData\Roaming\client.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF289.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2788
      • C:\Users\Admin\AppData\Roaming\client.exe
        "C:\Users\Admin\AppData\Roaming\client.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2228

Network

    No results found
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:6606
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:6606
    client.exe
  • 127.0.0.1:6606
    client.exe
  • 127.0.0.1:7707
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:6606
    client.exe
  • 127.0.0.1:8808
    client.exe
  • 127.0.0.1:7707
    client.exe
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF289.tmp.bat

    Filesize

    150B

    MD5

    cd8eab0d02823eed651fd2ff46e1308c

    SHA1

    cf8a4134e0acecd574ffc66dbe35a8853c447bbd

    SHA256

    2cb62af13b770fa2a855fdab436e16371381306995482ad41bb1378a1257e7b6

    SHA512

    258d9177af0bdeb7387e9ecd71588aeb4950fc8ca93dce5ee8fecd09f92589a3e6da2c00d3c5f3471942f9e6272163f205342dde98e7ebc0bf9987f98b53238f

  • \Users\Admin\AppData\Roaming\client.exe

    Filesize

    51KB

    MD5

    7bc2e6b25bfafe16708196e844dc1476

    SHA1

    4689ebd58df0eaa8f21191f1e0aae0259a2a7497

    SHA256

    a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06

    SHA512

    aef4619973c3d71ce6eda4f4c1d4be2dcd88fceaf48bf2b4efde7c762d3ac45a3d4900b33aea04dfbd40079a279efd7ea2505056f0828cdb364ee478627e9e6a

  • memory/1940-0-0x000000007443E000-0x000000007443F000-memory.dmp

    Filesize

    4KB

  • memory/1940-1-0x0000000000340000-0x0000000000352000-memory.dmp

    Filesize

    72KB

  • memory/1940-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

  • memory/1940-11-0x0000000074430000-0x0000000074B1E000-memory.dmp

    Filesize

    6.9MB

  • memory/2228-16-0x00000000010F0000-0x0000000001102000-memory.dmp

    Filesize

    72KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.