Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

295e4452bc...bN.exe

windows7-x64

10

295e4452bc...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 18:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    295e4452bc2d90c550ffd4ed35b88b0902528eff36122e37fb5449762a66939bN.exe

  • Size

    270KB

  • MD5

    8e5677d73dc60dc3c21e36263354f840

  • SHA1

    127cb5b81621dc3e33d770f93a4c8accaa37a292

  • SHA256

    295e4452bc2d90c550ffd4ed35b88b0902528eff36122e37fb5449762a66939b

  • SHA512

    85d6769625dad507a5510f8a07148f23540c9f0bdd3b1895b82189370f43d90641ae7b399bf9a44f5482bc173d9ba374e700bbed13c7b90b2d74a5ba67929734

  • SSDEEP

    3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdka:WFzDqa86hV6uRRqX1evPlwAEdka

Score
10/10
asyncratdiscoverypersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
vmXa0N0yJa9Jr5jww0Ewtx9T9xzAsslh

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\295e4452bc2d90c550ffd4ed35b88b0902528eff36122e37fb5449762a66939bN.exe
    "C:\Users\Admin\AppData\Local\Temp\295e4452bc2d90c550ffd4ed35b88b0902528eff36122e37fb5449762a66939bN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
      "C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4512
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 180
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4408
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2864

    Network

    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      67.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      182.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      182.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    • flag-us
      DNS
      corporation.warzonedns.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      corporation.warzonedns.com
      IN A
      Response
    No results found
    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      20.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      20.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      67.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      67.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      182.129.81.91.in-addr.arpa
      dns
      72 B
       147 B
       1
      1

      DNS Request

      182.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      23.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    • 8.8.8.8:53
      corporation.warzonedns.com
      dns
      RegAsm.exe
      72 B
       145 B
       1
      1

      DNS Request

      corporation.warzonedns.com

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat
      Filesize

      213B

      MD5

      0955cb4b691d44b37f8b6fad48a33b8e

      SHA1

      9dae759ae014cc124ab6eed7c8035788c124ae4a

      SHA256

      9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

      SHA512

      08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

      Download Submit

    • C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
      Filesize

      270KB

      MD5

      8d4070e83728bc5d23efd5e394e7a838

      SHA1

      dd8a5d40742bf2c11a126d548cc171072c3f2127

      SHA256

      1a0142e2e0112d4772e14409d88de0dd3d6e46c1600f70eafebbe23d7330dd0d

      SHA512

      88eb565b7c466152b9c75dd7b9836d4534d30fb501b07ba367d7c357e14d41c55880d923102fbe667bef2ca32f3e9d899049d8a4a21e80bce5526fa1266160d0

      Download Submit

    • memory/412-6-0x0000000005730000-0x000000000573A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/412-3-0x0000000005590000-0x0000000005622000-memory.dmp

      Filesize

      584KB

      Download

    • memory/412-4-0x0000000005740000-0x000000000574A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/412-5-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/412-0-0x000000007518E000-0x000000007518F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/412-10-0x000000007518E000-0x000000007518F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/412-2-0x0000000005A50000-0x0000000005FF4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/412-25-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/412-1-0x0000000000B60000-0x0000000000BA6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2040-26-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2040-27-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2040-31-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4512-29-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.