Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f368400a4f...8c.exe

windows7-x64

10

f368400a4f...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 05:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c.exe

  • Size

    63KB

  • MD5

    6ae8830520e0bf079fc97aa207673ac6

  • SHA1

    8eab31bfba85b5847573bda4257f79c607f0c297

  • SHA256

    f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c

  • SHA512

    cb8e918f34780d91673fdcc6bf3a70d2a1bf82bafb62f59ab6fc0f98b5ee09a8ed404d99fee25a4d5f55f9b7c4a5dc280d41725c596e6ddb8fae158542f14596

  • SSDEEP

    1536:+62ZBUFWbPZEYUbeM9odcrXuEdpqKmY7:+62CWbP6YUbe1cr5Gz

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:1337

127.0.0.1:26550

147.185.221.24:1337

147.185.221.24:26550
Attributes
  • delay

    3

  • install

    true

  • install_file

    hawktuah.exe

  • install_folder

    %AppData%

aes.plain
1
zNgAgG0iJJxrmLckNgdyqTs5p5RkQgnR

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c.exe
    "C:\Users\Admin\AppData\Local\Temp\f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hawktuah" /tr '"C:\Users\Admin\AppData\Roaming\hawktuah.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "hawktuah" /tr '"C:\Users\Admin\AppData\Roaming\hawktuah.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2732
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5B59.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2652
      • C:\Users\Admin\AppData\Roaming\hawktuah.exe
        "C:\Users\Admin\AppData\Roaming\hawktuah.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068

Network

    No results found
  • 127.0.0.1:1337
    hawktuah.exe
  • 127.0.0.1:1337
    hawktuah.exe
  • 147.185.221.24:26550
    hawktuah.exe
    152 B
     3
  • 147.185.221.24:26550
    hawktuah.exe
    152 B
     3
  • 127.0.0.1:1337
    hawktuah.exe
  • 127.0.0.1:1337
    hawktuah.exe
  • 147.185.221.24:26550
    hawktuah.exe
    152 B
     3
  • 127.0.0.1:1337
    hawktuah.exe
  • 127.0.0.1:1337
    hawktuah.exe
  • 127.0.0.1:1337
    hawktuah.exe
  • 127.0.0.1:1337
    hawktuah.exe
  • 127.0.0.1:1337
    hawktuah.exe
  • 127.0.0.1:1337
    hawktuah.exe
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5B59.tmp.bat
    Filesize

    152B

    MD5

    0c9337e12929fea7bd12d0640b29a951

    SHA1

    7009bbb4609e04a19c0b50b69174b00dcef8f7da

    SHA256

    0a7e5e908eab412309b2e2a4113521455e9f03623787a0cafd9c0df9e195e6a4

    SHA512

    4cc826b9b8454e79ed877f23a85fd150f453cf0a4f92f5ca402332c8f8c67c52f05e594a3d1de647364e440e6ef1bf549d17b46cffd9dea01d3184395841833b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\hawktuah.exe
    Filesize

    63KB

    MD5

    6ae8830520e0bf079fc97aa207673ac6

    SHA1

    8eab31bfba85b5847573bda4257f79c607f0c297

    SHA256

    f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c

    SHA512

    cb8e918f34780d91673fdcc6bf3a70d2a1bf82bafb62f59ab6fc0f98b5ee09a8ed404d99fee25a4d5f55f9b7c4a5dc280d41725c596e6ddb8fae158542f14596

    Download Submit

  • memory/2068-17-0x0000000000A30000-0x0000000000A46000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2092-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2092-1-0x00000000010B0000-0x00000000010C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2092-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2092-3-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2092-13-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.