Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

trwesf.exe

windows7-x64

10

trwesf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2025, 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trwesf.exe

  • Size

    34KB

  • MD5

    75d3088b3da605e4b01ef86a8e8376dc

  • SHA1

    f487c38fda56c98488105ba03c88229c467dad43

  • SHA256

    8f03cdbacac14321711d751ac862231ccdb13522e07ff0f3a42e128ceba61f13

  • SHA512

    397816db0b9331b3bc660f29e80ec8549e51078e4f34ef4e452a8ef2376b99ff14eaad6331b026f23c6489b18511ed6c937570740e85dffbb8e5d178164d947e

  • SSDEEP

    768:wbqI7VVQEi5oaWPFaq8EGrUDjKZxxvjYrKa/O56Ue4uaPHx:w28VWH5ojsKGgDjKZxxiKa25npbPHx

Score
10/10
asyncratstormkittyvenomratdiscoveryratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 5 IoCs
  • Stormkitty family
    stormkitty
  • VenomRAT 5 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Downloads MZ/PE file
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trwesf.exe
    "C:\Users\Admin\AppData\Local\Temp\trwesf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\js0jbj5q\js0jbj5q.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEA3.tmp" "c:\Users\Admin\AppData\Local\Temp\js0jbj5q\CSC1BB36BF5E44045299758B7D57195F51E.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2660
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab8C9.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESEEA3.tmp
    Filesize

    1KB

    MD5

    14183c70ae1b18afe2c443ab00190066

    SHA1

    97676a42527385e7ba2da4ee4a9eb3fc30576554

    SHA256

    70492f66b4d2905b1c0df589a5f4b4cc4f9fcad8defa1b8037085eabd0555d01

    SHA512

    22e28a96b3a0e31ded2ecbea2b1c53bddde3802b11428d9baba1375cb63d11fa9a01ba52aae9a65bdd4699afa6bb3ef12f70cf190f7c417c672cae1444807058

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1A88.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\js0jbj5q\js0jbj5q.dll
    Filesize

    9KB

    MD5

    f0c017ad7d1aedfca015526466638a6f

    SHA1

    5a4e1322e11beab74461faaab391de60aeb5629b

    SHA256

    9d04c5f7ad15fa5eebceaebf19db3bfe51922dbd74bca26b460a7e2506f09cf8

    SHA512

    b1adea6d7fe13ef52540392b8eeab9460718bea4dc935032ffc0e9d0a5a02c2b8c5a54a541dfe8233af3e4de52e9d74438ff6058890acc4354cae21ba252d3c0

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\js0jbj5q\CSC1BB36BF5E44045299758B7D57195F51E.TMP
    Filesize

    652B

    MD5

    1ba90dc787c3a0f1f9bd24dc513c99b8

    SHA1

    1b3099fff714a2fc2010e0849bba9a590e264e02

    SHA256

    88e0dec196297832c0f3de5f28af760aa951ea38576872c83c7503292e2cb301

    SHA512

    11cb0fbc88d37a66880adf1a993a27f0ff2f2d6b7eff3d7031d3fff607d9274083c5dcf2d96fdd54e4c8f19733c7f5fb5616129b276a635a482c0e3bceb5f723

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\js0jbj5q\js0jbj5q.0.cs
    Filesize

    10KB

    MD5

    f8284f43aa8e48242dff1cad24736fcd

    SHA1

    ba8c41bc6175185a0bdbf8778df92e66a7029c65

    SHA256

    e12c8c4a47176808b9117ec2aa27c2afaf4bdddcd2f60eea48696aa7daa747f6

    SHA512

    4e84606d99d853f915662ffc996ac426fe7f02e90009f58c25a07c86bc84120c7d26dd2bfee3efc78099af7e729a5a6d27c611147eb64f908a9b58caa0a6b69c

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\js0jbj5q\js0jbj5q.cmdline
    Filesize

    204B

    MD5

    7edcf1be5d3c5368bd6acbae4aa3cec1

    SHA1

    7c44218ed2506d533bde3aaf609ca7449892c4e5

    SHA256

    ff40485ddbf9b4aeea6132d69ad28db7358ae8d02299a6840c370c5696beb130

    SHA512

    3dc3e4ecc85197c505f3073c31df55bc2adc6942f7d1147e11f965f81cd167a41b8569573ad97ce4af66c84d7001ec6ea0cb97fd61656a2d42acd3483904d2a6

    Download Submit

  • memory/2168-23-0x00000000744E0000-0x0000000074BCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2168-15-0x0000000000290000-0x0000000000298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2168-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2168-6-0x00000000744E0000-0x0000000074BCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2168-1-0x0000000001340000-0x000000000134E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2224-17-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2224-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2224-19-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2224-18-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2224-20-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2224-25-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2224-22-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2224-27-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download