Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

13/01/2025, 00:07

250113-aet59aymcl 3

11/01/2025, 23:31

250111-3h1resxjcl 10

11/01/2025, 23:29

250111-3g1p2awrgr 10

Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2025, 23:31

General

  • Target

    Drivers.exe

  • Size

    21KB

  • MD5

    3dbe554d99db5921c2869df9745b32be

  • SHA1

    ec61ad96e9848de6e55121c8acd8be6221cc204b

  • SHA256

    70b2d5ddb11d58b8a53d0fdc74259241057812e4dfc21a03b937a320e290d822

  • SHA512

    6e752d09c1c214bd73f5295eb6ff65eb324d123a57de4ae5516b972f9ec3208e962aca9089f9ef6b91ca3c9394d5c6fd68e806012e9b4aff3f9277b3ee8cd6cc

  • SSDEEP

    384:vTRQmNZSqP8MyoXKQmXNQltXpQyXlQx/uoOQtGQmXE9RrA5iXNjd2Ht5rkFJ0Wqx:WlOq2tzclrldjdKkFJCVA3g

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

136.243.175.182:7777

Mutex

9HD6aMtS9FtK

Attributes
  • delay

    3

  • install

    true

  • install_file

    Runtime Broker.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Async RAT payload 1 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Drivers.exe
    "C:\Users\Admin\AppData\Local\Temp\Drivers.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3088
    • C:\Users\Admin\AppData\Roaming\Main.exe
      "C:\Users\Admin\AppData\Roaming\Main.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1144
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2800
        • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
          "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.bat

    Filesize

    158B

    MD5

    aced0eaf91d2957ec4f9caf8ea3b9a5d

    SHA1

    0defba8d1f633b86521b44484cac60074d03d584

    SHA256

    423f9bf9dcf105d4f1663388390644752952fabaefb84daf66c4bb7547938f3f

    SHA512

    36c50ca5b9b2aa21387aada35a972bbab7c3b8266edc0ad01e0c2411f41c868fdaf2c2e804023baa2dbfd2d2ac2428aea9e95fd721dd743c742c7740d1972c6b

  • C:\Users\Admin\AppData\Roaming\Main.exe

    Filesize

    45KB

    MD5

    3c1178d8a8669ab6be6cd9f7e0cbe003

    SHA1

    50899c700563e6e43a81ede481caa69c1e58eb39

    SHA256

    901f4d6b37e9e2d2e17f082579d014a28d362711f3c90a0ca6537fb9412cd6ab

    SHA512

    371c329eebda4d44d816a86a59e281e834c57713b2b5dea4ece025735874024487892c5a422a7857eecf0797b0ffe2dcb166edc4c874c487845550cb195a1d0b

  • memory/3824-24-0x00000000743D0000-0x0000000074B80000-memory.dmp

    Filesize

    7.7MB

  • memory/3824-23-0x0000000000740000-0x0000000000752000-memory.dmp

    Filesize

    72KB

  • memory/3824-25-0x0000000005000000-0x000000000509C000-memory.dmp

    Filesize

    624KB

  • memory/3824-30-0x00000000743D0000-0x0000000074B80000-memory.dmp

    Filesize

    7.7MB

  • memory/3824-22-0x00000000743DE000-0x00000000743DF000-memory.dmp

    Filesize

    4KB

  • memory/4236-37-0x0000000006040000-0x00000000065E4000-memory.dmp

    Filesize

    5.6MB

  • memory/4236-38-0x0000000005B00000-0x0000000005B66000-memory.dmp

    Filesize

    408KB

  • memory/4236-39-0x0000000006B30000-0x0000000006BA6000-memory.dmp

    Filesize

    472KB

  • memory/4236-40-0x0000000006AB0000-0x0000000006B18000-memory.dmp

    Filesize

    416KB

  • memory/4236-41-0x0000000006C10000-0x0000000006C2E000-memory.dmp

    Filesize

    120KB

  • memory/4236-42-0x0000000006F40000-0x0000000006FD2000-memory.dmp

    Filesize

    584KB

  • memory/4236-43-0x0000000007020000-0x0000000007084000-memory.dmp

    Filesize

    400KB