Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2025, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe
Resource
win7-20240903-en
General
-
Target
c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe
-
Size
811KB
-
MD5
e3ae2dc9b8b0582a266871b52e85c36f
-
SHA1
f783d1d0354bf3ad1dc4e506e4df3250a89ee765
-
SHA256
c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d
-
SHA512
c670e3d4bd63e054ca9d70ff1588e1c263cf73ca24f1be6f9cde9222e6c351b87e9c2855b42c50f5b92eea7e683ec62b67a2e7c2a0dae1a29e080113435ad438
-
SSDEEP
24576:qMjhsJkMwFz7D6h0lgoyM3VcH17lpMbTuIGVaiM2a:5zZFDaoIpMHGVa52a
Malware Config
Extracted
asyncrat
v1.2.2
Default
38.49.56.2:56003
38.49.56.2:56004
38.49.56.2:56005
gkggeeqkwjd
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/8-72-0x0000000002B20000-0x0000000002B32000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp -
Executes dropped EXE 2 IoCs
pid Process 4748 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 2272 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp -
Loads dropped DLL 5 IoCs
pid Process 3700 regsvr32.exe 8 regsvr32.exe 4652 regsvr32.exe 4244 regsvr32.EXE 4332 regsvr32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to execute payload.
pid Process 2160 powershell.exe 3972 powershell.exe 3972 powershell.exe 2160 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2272 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 2272 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 3972 powershell.exe 3972 powershell.exe 2160 powershell.exe 2160 powershell.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe 8 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3972 powershell.exe Token: SeIncreaseQuotaPrivilege 3972 powershell.exe Token: SeSecurityPrivilege 3972 powershell.exe Token: SeTakeOwnershipPrivilege 3972 powershell.exe Token: SeLoadDriverPrivilege 3972 powershell.exe Token: SeSystemProfilePrivilege 3972 powershell.exe Token: SeSystemtimePrivilege 3972 powershell.exe Token: SeProfSingleProcessPrivilege 3972 powershell.exe Token: SeIncBasePriorityPrivilege 3972 powershell.exe Token: SeCreatePagefilePrivilege 3972 powershell.exe Token: SeBackupPrivilege 3972 powershell.exe Token: SeRestorePrivilege 3972 powershell.exe Token: SeShutdownPrivilege 3972 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeSystemEnvironmentPrivilege 3972 powershell.exe Token: SeRemoteShutdownPrivilege 3972 powershell.exe Token: SeUndockPrivilege 3972 powershell.exe Token: SeManageVolumePrivilege 3972 powershell.exe Token: 33 3972 powershell.exe Token: 34 3972 powershell.exe Token: 35 3972 powershell.exe Token: 36 3972 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeIncreaseQuotaPrivilege 2160 powershell.exe Token: SeSecurityPrivilege 2160 powershell.exe Token: SeTakeOwnershipPrivilege 2160 powershell.exe Token: SeLoadDriverPrivilege 2160 powershell.exe Token: SeSystemProfilePrivilege 2160 powershell.exe Token: SeSystemtimePrivilege 2160 powershell.exe Token: SeProfSingleProcessPrivilege 2160 powershell.exe Token: SeIncBasePriorityPrivilege 2160 powershell.exe Token: SeCreatePagefilePrivilege 2160 powershell.exe Token: SeBackupPrivilege 2160 powershell.exe Token: SeRestorePrivilege 2160 powershell.exe Token: SeShutdownPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeSystemEnvironmentPrivilege 2160 powershell.exe Token: SeRemoteShutdownPrivilege 2160 powershell.exe Token: SeUndockPrivilege 2160 powershell.exe Token: SeManageVolumePrivilege 2160 powershell.exe Token: 33 2160 powershell.exe Token: 34 2160 powershell.exe Token: 35 2160 powershell.exe Token: 36 2160 powershell.exe Token: SeIncreaseQuotaPrivilege 2160 powershell.exe Token: SeSecurityPrivilege 2160 powershell.exe Token: SeTakeOwnershipPrivilege 2160 powershell.exe Token: SeLoadDriverPrivilege 2160 powershell.exe Token: SeSystemProfilePrivilege 2160 powershell.exe Token: SeSystemtimePrivilege 2160 powershell.exe Token: SeProfSingleProcessPrivilege 2160 powershell.exe Token: SeIncBasePriorityPrivilege 2160 powershell.exe Token: SeCreatePagefilePrivilege 2160 powershell.exe Token: SeBackupPrivilege 2160 powershell.exe Token: SeRestorePrivilege 2160 powershell.exe Token: SeShutdownPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeSystemEnvironmentPrivilege 2160 powershell.exe Token: SeRemoteShutdownPrivilege 2160 powershell.exe Token: SeUndockPrivilege 2160 powershell.exe Token: SeManageVolumePrivilege 2160 powershell.exe Token: 33 2160 powershell.exe Token: 34 2160 powershell.exe Token: 35 2160 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2272 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 8 regsvr32.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1168 wrote to memory of 4748 1168 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe 82 PID 1168 wrote to memory of 4748 1168 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe 82 PID 1168 wrote to memory of 4748 1168 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe 82 PID 4748 wrote to memory of 3760 4748 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 83 PID 4748 wrote to memory of 3760 4748 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 83 PID 4748 wrote to memory of 3760 4748 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 83 PID 3760 wrote to memory of 2272 3760 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe 84 PID 3760 wrote to memory of 2272 3760 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe 84 PID 3760 wrote to memory of 2272 3760 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe 84 PID 2272 wrote to memory of 3700 2272 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 85 PID 2272 wrote to memory of 3700 2272 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 85 PID 2272 wrote to memory of 3700 2272 c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp 85 PID 3700 wrote to memory of 8 3700 regsvr32.exe 86 PID 3700 wrote to memory of 8 3700 regsvr32.exe 86 PID 8 wrote to memory of 3972 8 regsvr32.exe 87 PID 8 wrote to memory of 3972 8 regsvr32.exe 87 PID 8 wrote to memory of 2160 8 regsvr32.exe 90 PID 8 wrote to memory of 2160 8 regsvr32.exe 90 PID 8 wrote to memory of 4652 8 regsvr32.exe 92 PID 8 wrote to memory of 4652 8 regsvr32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe"C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\is-R5OBC.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp"C:\Users\Admin\AppData\Local\Temp\is-R5OBC.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp" /SL5="$80050,450685,141312,C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe"C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe" /VERYSILENT3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\is-MQ6D8.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp"C:\Users\Admin\AppData\Local\Temp\is-MQ6D8.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp" /SL5="$140064,450685,141312,C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe" /VERYSILENT4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\regsvr32.exe/s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8D74C7A9-9480-453C-96A5-592DCB2A7D74}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\system32\regsvr32.exe"regsvr32" /i:360 /s C:\Users\Admin\AppData\Roaming\Setup_Coat.dll7⤵
- Loads dropped DLL
PID:4652
-
-
-
-
-
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll1⤵
- Loads dropped DLL
PID:4244
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll1⤵
- Loads dropped DLL
PID:4332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD56b3f025e0fe16f90a195d5a845ea92c4
SHA12039ca9aedf7bde38d5f538991ac4c3684651a07
SHA256cc1288db96dcc16fd4bef4fa2dd6d85e313af2e4c23fdf7f23b7f654cd61575a
SHA512ac8c18b21ed5d090808d99c3d657691f9d47894e77d18a35d8906cbbcc2e6e5c3f5b6926241a492068b01c74263161967a7ecd4f1b1972e65ae509bf5df5a20e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\is-R5OBC.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp
Filesize1.1MB
MD58fdc58c7d4c59472615682d6dea9d190
SHA18e131fe09fd238493719b4fd92e6c833bf3596c1
SHA25626a5be637ee680b1ec11d1adf2fd0972cc52078cbd200d9273f8bb826707c83b
SHA512b05b9fd8ff3d627b562cbd2968466fb54adbc2fa5591ebe803300a3c5ef7887bc1761d8013b47aab0f5387265c8b7b15078a01abb75d4c3180671780181ebe24
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
724KB
MD56d3053a6f23cb5b6bd374cea07715ae8
SHA18bcb4c3d4d2d6a22b7af3382bfa38354244011e1
SHA2565a6a75ae667580ab68530d72a351e906204514aabb4acd241d31fa6e18d45b58
SHA512a7c135cfc1ce5ba9ecbcdba5f1698545cf16eaed5800bb63bdbbb995da1a8726bee79bdd4e4dd1b00671eb10a45baf34466cf0fdf3fc2c1a906aefca3bef5855