Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

..exe

windows7-x64

10

..exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/12/2024, 16:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ..exe

  • Size

    145KB

  • MD5

    a55e72b66a2767fa68ae713250ff0b21

  • SHA1

    550d1c5ef3c23cc59392ea24c67f4f43669cecef

  • SHA256

    a31527ac5e1df418a9ee25b623ad730c44e18b4b62aa6e649bb6e5fd9e0088f5

  • SHA512

    cb47663be048c07c6e9e6387946a512f0435be1a4034a5ee2549025b70cd4c5868bfba0ea3e76af0700492f1c8dc388f83e0c7f37ac64011ed2eaca06daef1d2

  • SSDEEP

    3072:VuIJT8kD2gEdIOcYgb8GHOxk0y+Bz65/M6If+3Js+3JFkKeTnYx:VuITSzCOPgbmyMxBt25v

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

192.168.0.174:8808

Mutex

ejrY4UrkOJwj

Attributes
  • delay

    3

  • install

    true

  • install_file

    System Handler.exe

  • install_folder

    %AppData%

aes.plain
1
DGlZdHJWG34C74jjfhxaRXT3tEZLwEfx

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\..exe
    "C:\Users\Admin\AppData\Local\Temp\..exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System Handler" /tr '"C:\Users\Admin\AppData\Roaming\System Handler.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "System Handler" /tr '"C:\Users\Admin\AppData\Roaming\System Handler.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2796
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE698.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2852
      • C:\Users\Admin\AppData\Roaming\System Handler.exe
        "C:\Users\Admin\AppData\Roaming\System Handler.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2204

Network

    No results found
  • 192.168.0.174:8808
    System Handler.exe
    152 B
     3
  • 192.168.0.174:8808
    System Handler.exe
    152 B
     3
  • 192.168.0.174:8808
    System Handler.exe
    152 B
     3
  • 192.168.0.174:8808
    System Handler.exe
    152 B
     3
  • 192.168.0.174:8808
    System Handler.exe
    152 B
     3
  • 192.168.0.174:8808
    System Handler.exe
    104 B
     2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE698.tmp.bat
    Filesize

    158B

    MD5

    e39809a7abafc5c658ef2591628ee19e

    SHA1

    c6b638a62a6c19d3cebfa6ce88076c50d82e8627

    SHA256

    7995eb44177f4f1aa4ed65b35d00cf9088960d16c26272982313bc0e124518d4

    SHA512

    bb840b7b62f9932089f0528c92f9e7888bd5937a6ddda7475fae0c198ee572b4b74113cbf54b669d3ba9f18e03c8f2cd6783e61ac04a9fffdcda93d81b3b336d

    Download Submit

  • \Users\Admin\AppData\Roaming\System Handler.exe
    Filesize

    145KB

    MD5

    a55e72b66a2767fa68ae713250ff0b21

    SHA1

    550d1c5ef3c23cc59392ea24c67f4f43669cecef

    SHA256

    a31527ac5e1df418a9ee25b623ad730c44e18b4b62aa6e649bb6e5fd9e0088f5

    SHA512

    cb47663be048c07c6e9e6387946a512f0435be1a4034a5ee2549025b70cd4c5868bfba0ea3e76af0700492f1c8dc388f83e0c7f37ac64011ed2eaca06daef1d2

    Download Submit

  • memory/1292-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-1-0x0000000000E10000-0x0000000000E3A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1292-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1292-11-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2204-16-0x0000000000C10000-0x0000000000C3A000-memory.dmp

    Filesize

    168KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.