Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c344f9de1a...0d.exe

windows7-x64

7

c344f9de1a...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2025, 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe

  • Size

    811KB

  • MD5

    e3ae2dc9b8b0582a266871b52e85c36f

  • SHA1

    f783d1d0354bf3ad1dc4e506e4df3250a89ee765

  • SHA256

    c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d

  • SHA512

    c670e3d4bd63e054ca9d70ff1588e1c263cf73ca24f1be6f9cde9222e6c351b87e9c2855b42c50f5b92eea7e683ec62b67a2e7c2a0dae1a29e080113435ad438

  • SSDEEP

    24576:qMjhsJkMwFz7D6h0lgoyM3VcH17lpMbTuIGVaiM2a:5zZFDaoIpMHGVa52a

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

v1.2.2

Botnet

Default

C2

38.49.56.2:56003

38.49.56.2:56004

38.49.56.2:56005
Mutex

gkggeeqkwjd

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to execute payload.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe
    "C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\is-R5OBC.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-R5OBC.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp" /SL5="$80050,450685,141312,C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe
        "C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe" /VERYSILENT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Users\Admin\AppData\Local\Temp\is-MQ6D8.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-MQ6D8.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp" /SL5="$140064,450685,141312,C:\Users\Admin\AppData\Local\Temp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Windows\SysWOW64\regsvr32.exe
            "regsvr32.exe" /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3700
            • C:\Windows\system32\regsvr32.exe
              /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:8
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3972
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8D74C7A9-9480-453C-96A5-592DCB2A7D74}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2160
              • C:\Windows\system32\regsvr32.exe
                "regsvr32" /i:360 /s C:\Users\Admin\AppData\Roaming\Setup_Coat.dll
                7⤵
                • Loads dropped DLL
                PID:4652
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll
    1⤵
    • Loads dropped DLL
    PID:4244
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Coat.dll
    1⤵
    • Loads dropped DLL
    PID:4332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6b3f025e0fe16f90a195d5a845ea92c4

    SHA1

    2039ca9aedf7bde38d5f538991ac4c3684651a07

    SHA256

    cc1288db96dcc16fd4bef4fa2dd6d85e313af2e4c23fdf7f23b7f654cd61575a

    SHA512

    ac8c18b21ed5d090808d99c3d657691f9d47894e77d18a35d8906cbbcc2e6e5c3f5b6926241a492068b01c74263161967a7ecd4f1b1972e65ae509bf5df5a20e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f14ywkk2.w53.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-R5OBC.tmp\c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.tmp
    Filesize

    1.1MB

    MD5

    8fdc58c7d4c59472615682d6dea9d190

    SHA1

    8e131fe09fd238493719b4fd92e6c833bf3596c1

    SHA256

    26a5be637ee680b1ec11d1adf2fd0972cc52078cbd200d9273f8bb826707c83b

    SHA512

    b05b9fd8ff3d627b562cbd2968466fb54adbc2fa5591ebe803300a3c5ef7887bc1761d8013b47aab0f5387265c8b7b15078a01abb75d4c3180671780181ebe24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-RGKR3.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Setup_Coat.dll
    Filesize

    724KB

    MD5

    6d3053a6f23cb5b6bd374cea07715ae8

    SHA1

    8bcb4c3d4d2d6a22b7af3382bfa38354244011e1

    SHA256

    5a6a75ae667580ab68530d72a351e906204514aabb4acd241d31fa6e18d45b58

    SHA512

    a7c135cfc1ce5ba9ecbcdba5f1698545cf16eaed5800bb63bdbbb995da1a8726bee79bdd4e4dd1b00671eb10a45baf34466cf0fdf3fc2c1a906aefca3bef5855

    Download Submit

  • memory/8-72-0x0000000002B20000-0x0000000002B32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/8-74-0x00007FF869AD0000-0x00007FF869B6E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1168-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1168-19-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1168-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2272-24-0x0000000000400000-0x0000000000528000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2272-39-0x0000000000400000-0x0000000000528000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3760-14-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3760-42-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3760-16-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3972-43-0x00000200B46C0000-0x00000200B46E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4748-18-0x0000000000400000-0x0000000000528000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4748-7-0x0000000000400000-0x0000000000528000-memory.dmp

    Filesize

    1.2MB

    Download