Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

bd337aa319...dN.exe

windows7-x64

10

bd337aa319...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2025, 12:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd337aa3192a729d7d17725c0b62f215d27e4fbbfe549cd0331471f810faa0bdN.exe

  • Size

    74KB

  • MD5

    77871f58327c843333d20cbde8f414e0

  • SHA1

    1ae10e9b9d9305cfd939cd2c71afcb7aadc46536

  • SHA256

    bd337aa3192a729d7d17725c0b62f215d27e4fbbfe549cd0331471f810faa0bd

  • SHA512

    aaca63540270d02242743bec639bb6f2add9cd1e664648bb69a2745293bf89df6a49f0241649d568b00f5efb3cacdaec38beab788d12e21d2004b3a906f59df8

  • SSDEEP

    1536:8UaAcx2l/Cx2PMVie9VdQuDI6H1bf/HSpQzcMGVclN:8UDcx2Bq2PMVie9VdQsH1bf6pQtcY

Score
10/10
asyncratvenomratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

18.231.223.127:4449
Mutex

ytlgxccuen

Attributes
  • delay

    1

  • install

    true

  • install_file

    expl0rer.exe

  • install_folder

    %AppData%

aes.plain
1
8yjcFOiQaDEdtI13s9Uww9b3mN1fcgrx

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • VenomRAT 3 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd337aa3192a729d7d17725c0b62f215d27e4fbbfe549cd0331471f810faa0bdN.exe
    "C:\Users\Admin\AppData\Local\Temp\bd337aa3192a729d7d17725c0b62f215d27e4fbbfe549cd0331471f810faa0bdN.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "expl0rer" /tr '"C:\Users\Admin\AppData\Roaming\expl0rer.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "expl0rer" /tr '"C:\Users\Admin\AppData\Roaming\expl0rer.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2964
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9EB.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2360
      • C:\Users\Admin\AppData\Roaming\expl0rer.exe
        "C:\Users\Admin\AppData\Roaming\expl0rer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2900

Network

    No results found
  • 18.231.223.127:4449
    expl0rer.exe
    152 B
     3
  • 18.231.223.127:4449
    expl0rer.exe
    152 B
     3
  • 18.231.223.127:4449
    expl0rer.exe
    152 B
     3
  • 18.231.223.127:4449
    expl0rer.exe
    152 B
     3
  • 127.0.0.1:4449
    expl0rer.exe
  • 18.231.223.127:4449
    expl0rer.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD9EB.tmp.bat
    Filesize

    152B

    MD5

    e5647cbff0419628e78c02a00601b5d1

    SHA1

    d29d59899649c888e4253bfd69bf8f26f37e98f4

    SHA256

    2e1bf283e844f2b0ba394fd2d7b313450ff6c143dbb9b3887411fa5577c7055b

    SHA512

    417a1c80b882358662eaafe826087b91374e547ad1370983f7bd77bac769a51745ccef5a30399a513f0465759161f9c43f8026947cb3a842db5118c6c8b6438c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\expl0rer.exe
    Filesize

    74KB

    MD5

    77871f58327c843333d20cbde8f414e0

    SHA1

    1ae10e9b9d9305cfd939cd2c71afcb7aadc46536

    SHA256

    bd337aa3192a729d7d17725c0b62f215d27e4fbbfe549cd0331471f810faa0bd

    SHA512

    aaca63540270d02242743bec639bb6f2add9cd1e664648bb69a2745293bf89df6a49f0241649d568b00f5efb3cacdaec38beab788d12e21d2004b3a906f59df8

    Download Submit

  • memory/2060-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2060-1-0x0000000000090000-0x00000000000A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2060-3-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-4-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-14-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2900-18-0x0000000000D40000-0x0000000000D58000-memory.dmp

    Filesize

    96KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.