Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
20s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 22:25
Static task
static1
General
-
Target
2.3.3.exe
-
Size
1.7MB
-
MD5
6eb122e96a700bd2b8cc99145e341dca
-
SHA1
cb7b638457cc0c9d91f2d160cff668be728e98e7
-
SHA256
7fdd01a97937e772442349582da60906c7af11674de1d2e7b5d8ef735d541310
-
SHA512
a58e58533c58adc4e247d7a8e9f96034e04083b58d24b4f31ce191722978a2544d620e44d54ede8956698267dda2466303085d2f4b013859d928e915551d73e4
-
SSDEEP
24576:m9ohkx17Y1hjhLYgHZ/3n9xNGEDx6sjoduqJaa+WB0cmukAoArSnw4GTNL2aa3/K:2skxe1/vNG2jSuryBJoeSnw4uO
Malware Config
Extracted
asyncrat
0.5.8
ahk
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
ZCYbbgUqVRxZ
-
delay
3
-
install
false
-
install_file
powerhouse.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/4204-1-0x00000000007C0000-0x0000000000C0C000-memory.dmp family_asyncrat behavioral1/memory/4204-2-0x00000000007C0000-0x0000000000C0C000-memory.dmp family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2.3.3.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.3.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.3.3.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 2.3.3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4204 2.3.3.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.3.3.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4204 2.3.3.exe 4204 2.3.3.exe 4376 msedge.exe 4376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4204 2.3.3.exe Token: SeDebugPrivilege 4204 2.3.3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 720 wrote to memory of 1500 720 msedge.exe 94 PID 720 wrote to memory of 1500 720 msedge.exe 94 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 2020 720 msedge.exe 95 PID 720 wrote to memory of 4376 720 msedge.exe 96 PID 720 wrote to memory of 4376 720 msedge.exe 96 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97 PID 720 wrote to memory of 2104 720 msedge.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.3.3.exe"C:\Users\Admin\AppData\Local\Temp\2.3.3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4ff26ffchb375h487dh9253hdc410e9d909c1⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcecce46f8,0x7ffcecce4708,0x7ffcecce47182⤵PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,9426571314349263463,1066343709785181275,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:22⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,9426571314349263463,1066343709785181275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,9426571314349263463,1066343709785181275,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵PID:2104
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:732
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
5KB
MD5dbb05b40602c65710f74220a10b01533
SHA116ecc8ec546b34d04acb91048ea40d534c670e25
SHA2567370b172d6318aec6c8635911b7c0b295e6992a7e83e048746dc35f3f3dab9d0
SHA512426575f996bb0ef8742eac952e8507886046a53710090f71368cda0e1a32a875ddf54ef91df6d6fde8309395ea95a696ee2c48ece365e7779569eab6d547933d
-
Filesize
8KB
MD5d0b2f98466bed461736265fb13746bd6
SHA1996c5df06a6ba70e78efbbc555beefdba8ffd61f
SHA25630d316115b66c808b7ccc792169b851b5d625eeefa3e8ade2a9e84df23963c4a
SHA51215ebd214eaeeed40ee71b9d57fcfb77a134d12335a4266aaa85026743a687a907c7f6265651c1c9b506abba19fb6cfa655bc8bcd753aa804f5792c448bacbfd3