Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 17:35
Behavioral task
behavioral1
Sample
Infected.exe
Resource
win7-20240903-en
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
abcbbfd4f4cdcef98962ad976802fb69
-
SHA1
ecce5776a92707e00b28441975e73a715f9e2185
-
SHA256
1ee1af228d0cfcf2beae5a2df53a291d24fb6213c5e453cfb09c155b20a7a965
-
SHA512
e38348d3f6983e02378dd4649630fd0a39ad6428bc82aa6f2738f1ec794b9b48db7457b3009f7f65e49fc5d994dcde6105fdf72bd572086d8017558aab541100
-
SSDEEP
768:RdGnVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oXQxa/qSuAdpqM:mnSdsNdSJYUbdh9QxaFuAdpqKmY7
Malware Config
Extracted
asyncrat
Default
mbaper-28496.portmap.host:2420
mbaper-28496.portmap.host:28833
-
delay
1
-
install
true
-
install_file
Google.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000b000000012029-15.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2620 Google.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2700 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2644 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2192 Infected.exe 2192 Infected.exe 2192 Infected.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2192 Infected.exe Token: SeDebugPrivilege 2620 Google.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2896 2192 Infected.exe 30 PID 2192 wrote to memory of 2896 2192 Infected.exe 30 PID 2192 wrote to memory of 2896 2192 Infected.exe 30 PID 2192 wrote to memory of 2616 2192 Infected.exe 32 PID 2192 wrote to memory of 2616 2192 Infected.exe 32 PID 2192 wrote to memory of 2616 2192 Infected.exe 32 PID 2616 wrote to memory of 2700 2616 cmd.exe 34 PID 2616 wrote to memory of 2700 2616 cmd.exe 34 PID 2616 wrote to memory of 2700 2616 cmd.exe 34 PID 2896 wrote to memory of 2644 2896 cmd.exe 35 PID 2896 wrote to memory of 2644 2896 cmd.exe 35 PID 2896 wrote to memory of 2644 2896 cmd.exe 35 PID 2616 wrote to memory of 2620 2616 cmd.exe 36 PID 2616 wrote to memory of 2620 2616 cmd.exe 36 PID 2616 wrote to memory of 2620 2616 cmd.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google" /tr '"C:\Users\Admin\AppData\Roaming\Google.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Google" /tr '"C:\Users\Admin\AppData\Roaming\Google.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2644
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2700
-
-
C:\Users\Admin\AppData\Roaming\Google.exe"C:\Users\Admin\AppData\Roaming\Google.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD58927ebf245cdddf970a5b765f23f564f
SHA1ad32a9ec31de971e9bfe1a175b55da55212017a0
SHA256608114dc282102c1afb6461e920971d11ddd97d0dc9defa07d51c87910c7a6b6
SHA51225d9e8fa9606a553f1fd1b275e1a701a3a5adcaba765160836c4f0f7f865adb1d93abae02fcf6731ccb4e0401b3fb2fc8dcf239a3eb603232e8838b3360891dd
-
Filesize
63KB
MD5abcbbfd4f4cdcef98962ad976802fb69
SHA1ecce5776a92707e00b28441975e73a715f9e2185
SHA2561ee1af228d0cfcf2beae5a2df53a291d24fb6213c5e453cfb09c155b20a7a965
SHA512e38348d3f6983e02378dd4649630fd0a39ad6428bc82aa6f2738f1ec794b9b48db7457b3009f7f65e49fc5d994dcde6105fdf72bd572086d8017558aab541100