Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
13/01/2025, 00:07
250113-aet59aymcl 311/01/2025, 23:31
250111-3h1resxjcl 1011/01/2025, 23:29
250111-3g1p2awrgr 10Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
Drivers.exe
Resource
win10v2004-20241007-en
General
-
Target
Drivers.exe
-
Size
21KB
-
MD5
3dbe554d99db5921c2869df9745b32be
-
SHA1
ec61ad96e9848de6e55121c8acd8be6221cc204b
-
SHA256
70b2d5ddb11d58b8a53d0fdc74259241057812e4dfc21a03b937a320e290d822
-
SHA512
6e752d09c1c214bd73f5295eb6ff65eb324d123a57de4ae5516b972f9ec3208e962aca9089f9ef6b91ca3c9394d5c6fd68e806012e9b4aff3f9277b3ee8cd6cc
-
SSDEEP
384:vTRQmNZSqP8MyoXKQmXNQltXpQyXlQx/uoOQtGQmXE9RrA5iXNjd2Ht5rkFJ0Wqx:WlOq2tzclrldjdKkFJCVA3g
Malware Config
Extracted
asyncrat
0.5.8
Default
136.243.175.182:7777
9HD6aMtS9FtK
-
delay
3
-
install
true
-
install_file
Runtime Broker.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Drivers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Drivers.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Drivers.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Drivers.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cc7-12.dat family_asyncrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Drivers.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Main.exe -
Executes dropped EXE 2 IoCs
pid Process 3824 Main.exe 4236 Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Main.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2800 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe 3824 Main.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3824 Main.exe Token: SeDebugPrivilege 4236 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3088 wrote to memory of 3824 3088 Drivers.exe 85 PID 3088 wrote to memory of 3824 3088 Drivers.exe 85 PID 3088 wrote to memory of 3824 3088 Drivers.exe 85 PID 3824 wrote to memory of 1116 3824 Main.exe 88 PID 3824 wrote to memory of 1116 3824 Main.exe 88 PID 3824 wrote to memory of 1116 3824 Main.exe 88 PID 3824 wrote to memory of 4796 3824 Main.exe 90 PID 3824 wrote to memory of 4796 3824 Main.exe 90 PID 3824 wrote to memory of 4796 3824 Main.exe 90 PID 1116 wrote to memory of 1144 1116 cmd.exe 92 PID 1116 wrote to memory of 1144 1116 cmd.exe 92 PID 1116 wrote to memory of 1144 1116 cmd.exe 92 PID 4796 wrote to memory of 2800 4796 cmd.exe 93 PID 4796 wrote to memory of 2800 4796 cmd.exe 93 PID 4796 wrote to memory of 2800 4796 cmd.exe 93 PID 4796 wrote to memory of 4236 4796 cmd.exe 101 PID 4796 wrote to memory of 4236 4796 cmd.exe 101 PID 4796 wrote to memory of 4236 4796 cmd.exe 101 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Drivers.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Drivers.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableSettingsPage = "1" Drivers.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Drivers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Drivers.exe"C:\Users\Admin\AppData\Local\Temp\Drivers.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3088 -
C:\Users\Admin\AppData\Roaming\Main.exe"C:\Users\Admin\AppData\Roaming\Main.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2800
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5aced0eaf91d2957ec4f9caf8ea3b9a5d
SHA10defba8d1f633b86521b44484cac60074d03d584
SHA256423f9bf9dcf105d4f1663388390644752952fabaefb84daf66c4bb7547938f3f
SHA51236c50ca5b9b2aa21387aada35a972bbab7c3b8266edc0ad01e0c2411f41c868fdaf2c2e804023baa2dbfd2d2ac2428aea9e95fd721dd743c742c7740d1972c6b
-
Filesize
45KB
MD53c1178d8a8669ab6be6cd9f7e0cbe003
SHA150899c700563e6e43a81ede481caa69c1e58eb39
SHA256901f4d6b37e9e2d2e17f082579d014a28d362711f3c90a0ca6537fb9412cd6ab
SHA512371c329eebda4d44d816a86a59e281e834c57713b2b5dea4ece025735874024487892c5a422a7857eecf0797b0ffe2dcb166edc4c874c487845550cb195a1d0b