Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b899fc7141...bb.exe

windows7-x64

10

b899fc7141...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2024, 10:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb.exe

  • Size

    481KB

  • MD5

    3bcf40a5ad0db3f29f3c6243a923e277

  • SHA1

    5a500389d073311b3decc47819c19dd7faf56abb

  • SHA256

    b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb

  • SHA512

    45ffa4c66672403220f96b58dc4bc6ac361aff38e8bb14743c63ab52659229d186a36181b7b396b024648f1f2bc54a67ca7224f1fe17cb2a4ad04d5986d78d9a

  • SSDEEP

    6144:csFDZUi1H8vzgMU+duPOyxzWtrboPZXBR+IhQaTb5Jz/:nlH8vzgL8QJxzWqRXBR

Score
10/10
asyncrat26/4/22discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

26/4/22

C2

znets.ddns.net:2000

dnets.ddns.net:2000
Mutex

mgjgjfugfrabywe7retren89i><LPO((*&*UJjiM8yn&&*N89I)(

Attributes
  • delay

    3

  • install

    false

  • install_file

    Windows Utility Essentials.exe

  • install_folder

    %AppData%

aes.plain
1
2orYbTaylhLwgAdW759LDCIGvbFwgMlY

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb.exe
    "C:\Users\Admin\AppData\Local\Temp\b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4224

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    dnets.ddns.net
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    dnets.ddns.net
    IN A
    Response
    dnets.ddns.net
    IN A
    0.0.0.0
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    znets.ddns.net
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    znets.ddns.net
    IN A
    Response
    znets.ddns.net
    IN A
    0.0.0.0
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
No results found
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    dnets.ddns.net
    dns
    vbc.exe
    60 B
     76 B
     1
    1

    DNS Request

    dnets.ddns.net

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    znets.ddns.net
    dns
    vbc.exe
    60 B
     76 B
     1
    1

    DNS Request

    znets.ddns.net

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3124-9-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3124-1-0x0000000000A40000-0x0000000000ABE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3124-2-0x00000000059D0000-0x0000000005F74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3124-3-0x00000000054C0000-0x0000000005552000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3124-4-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3124-5-0x0000000005890000-0x000000000589A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3124-8-0x00000000750AE000-0x00000000750AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4224-6-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4224-7-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-10-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-11-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-12-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.