Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
598s -
max time network
589s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2024, 17:00
General
-
Target
gggg.exe
-
Size
52KB
-
MD5
fb6d592ff07d0e26a291b3e78c1ce139
-
SHA1
e5e82e613372b0795f8347ac643e954f0c514df2
-
SHA256
347586f7facf4ef5fcb456f6589d65cb3167a7fa4379740ff03b2c861d8cf364
-
SHA512
5db5797fcb1a6c2cbd2e2f4aaf2a5fd47f693116583596292531b73a36eabc8517ee7bc1d8cb5a999f45a5ca91152f0b3a810ec00ce35c8283f02d1c5e287779
-
SSDEEP
1536:2uu91TwSb2nth5csqQXb6HoTUdHN0QdH/:2uuDTwSb2tQsqwb6I4dtl9/
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:8808
10.59.25.45:8808
KxaqMLMZrN62
-
delay
3
-
install
true
-
install_file
Maple.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000023c01-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation gggg.exe -
Executes dropped EXE 1 IoCs
pid Process 1112 Maple.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gggg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maple.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5048 timeout.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 2528 gggg.exe 404 msedge.exe 404 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2528 gggg.exe Token: SeDebugPrivilege 1112 Maple.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 3656 2528 gggg.exe 84 PID 2528 wrote to memory of 3656 2528 gggg.exe 84 PID 2528 wrote to memory of 3656 2528 gggg.exe 84 PID 2528 wrote to memory of 1332 2528 gggg.exe 86 PID 2528 wrote to memory of 1332 2528 gggg.exe 86 PID 2528 wrote to memory of 1332 2528 gggg.exe 86 PID 1332 wrote to memory of 5048 1332 cmd.exe 88 PID 1332 wrote to memory of 5048 1332 cmd.exe 88 PID 1332 wrote to memory of 5048 1332 cmd.exe 88 PID 3656 wrote to memory of 436 3656 cmd.exe 89 PID 3656 wrote to memory of 436 3656 cmd.exe 89 PID 3656 wrote to memory of 436 3656 cmd.exe 89 PID 1332 wrote to memory of 1112 1332 cmd.exe 90 PID 1332 wrote to memory of 1112 1332 cmd.exe 90 PID 1332 wrote to memory of 1112 1332 cmd.exe 90 PID 2564 wrote to memory of 3108 2564 msedge.exe 119 PID 2564 wrote to memory of 3108 2564 msedge.exe 119 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 3888 2564 msedge.exe 120 PID 2564 wrote to memory of 404 2564 msedge.exe 121 PID 2564 wrote to memory of 404 2564 msedge.exe 121 PID 2564 wrote to memory of 4660 2564 msedge.exe 122 PID 2564 wrote to memory of 4660 2564 msedge.exe 122 PID 2564 wrote to memory of 4660 2564 msedge.exe 122 PID 2564 wrote to memory of 4660 2564 msedge.exe 122 PID 2564 wrote to memory of 4660 2564 msedge.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\gggg.exe"C:\Users\Admin\AppData\Local\Temp\gggg.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Maple" /tr '"C:\Users\Admin\AppData\Roaming\Maple.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Maple" /tr '"C:\Users\Admin\AppData\Roaming\Maple.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8760.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5048
-
-
C:\Users\Admin\AppData\Roaming\Maple.exe"C:\Users\Admin\AppData\Roaming\Maple.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3edd2747h6b88h4596h81dfh130afe40638f1⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0xfc,0x138,0x7ffab08846f8,0x7ffab0884708,0x7ffab08847182⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15130600351545634221,7499709520434050877,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15130600351545634221,7499709520434050877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15130600351545634221,7499709520434050877,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵PID:4660
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1336
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1596
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1292
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD552ac081bd1fcb8969cb82f4cb7ed6863
SHA1cf77a1e9b64d630702b9a20a46d7c59887ad90b5
SHA2566f4ad356eff681a6fd670642296f2252d26ed8b517045a567fd0e6230300033a
SHA5125b1b55ba9b2e68e5157e364f426bdd8f940f129a3034ea40dde574b281624d9d9fb2aa840d2600482e2c0a4f46c7288ceb1cfe2300f8991f53df891e9ee45898
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
5KB
MD5c0940a59bf99979fee39622e2128ad26
SHA11afc96d70de350cfb55217c5ce0f62fd8a93ed9e
SHA2565468de80e7ec9d65f3279c24fa6d75454a4895396bae24daca68b3ac560bed0a
SHA5129ba63e829d2e72aeb5c5776a0fb26f7305677a317882880bf039d16f809da20447d72979f9e1b794b076564973a2ee412d5c90497a4672851482b75e9bf21391
-
Filesize
149B
MD577fa5f8bad80a133ab207311b763b9ef
SHA17e31c4c4d7291e27c0d1b234f31719e5f04e78db
SHA2566da7b227acaebb03b08028ecc146a84ad7dbda23b59d71114659c30467075300
SHA512fe5c512a6b918fcf1d79552175e94a3336593dd64c9883092d9951af4de5ed9f0fbd419cd9bd9e718035782bba5fd414ea4ac6c25a8ea2e58a6db3b047388fb1
-
Filesize
52KB
MD5fb6d592ff07d0e26a291b3e78c1ce139
SHA1e5e82e613372b0795f8347ac643e954f0c514df2
SHA256347586f7facf4ef5fcb456f6589d65cb3167a7fa4379740ff03b2c861d8cf364
SHA5125db5797fcb1a6c2cbd2e2f4aaf2a5fd47f693116583596292531b73a36eabc8517ee7bc1d8cb5a999f45a5ca91152f0b3a810ec00ce35c8283f02d1c5e287779