Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/02/2025, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe
Resource
win7-20240729-en
General
-
Target
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe
-
Size
243KB
-
MD5
d88a06a393582a79ab6da48982ec87ae
-
SHA1
e5cc4271431fa138f4594847c20a5be3f6c919e4
-
SHA256
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537
-
SHA512
41c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac
-
SSDEEP
3072:KHkVhd52JYWsfVrhbjAY1GSEuywqamd/4bWSHqYubGtHshmRgSPG9oMNLxb:KHkVhd52JdYhbt1GCE2bUwZe+PElNh
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
89.23.100.93:4449
oonrejgwedvxwse
-
delay
1
-
install
true
-
install_file
calc.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral1/memory/2692-1-0x00000000002C0000-0x00000000002D8000-memory.dmp VenomRAT behavioral1/memory/2692-5-0x0000000000400000-0x000000000043F000-memory.dmp VenomRAT behavioral1/memory/2624-21-0x0000000000230000-0x0000000000248000-memory.dmp VenomRAT -
Venomrat family
-
Executes dropped EXE 1 IoCs
pid Process 2624 calc.exe -
Loads dropped DLL 2 IoCs
pid Process 2816 cmd.exe 2816 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2716 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 2624 calc.exe 2624 calc.exe 2624 calc.exe 2624 calc.exe 2624 calc.exe 2624 calc.exe 2624 calc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe Token: SeDebugPrivilege 2624 calc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2624 calc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2560 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 31 PID 2692 wrote to memory of 2560 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 31 PID 2692 wrote to memory of 2560 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 31 PID 2692 wrote to memory of 2560 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 31 PID 2692 wrote to memory of 2816 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 33 PID 2692 wrote to memory of 2816 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 33 PID 2692 wrote to memory of 2816 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 33 PID 2692 wrote to memory of 2816 2692 b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe 33 PID 2816 wrote to memory of 2716 2816 cmd.exe 35 PID 2816 wrote to memory of 2716 2816 cmd.exe 35 PID 2816 wrote to memory of 2716 2816 cmd.exe 35 PID 2816 wrote to memory of 2716 2816 cmd.exe 35 PID 2560 wrote to memory of 2608 2560 cmd.exe 36 PID 2560 wrote to memory of 2608 2560 cmd.exe 36 PID 2560 wrote to memory of 2608 2560 cmd.exe 36 PID 2560 wrote to memory of 2608 2560 cmd.exe 36 PID 2816 wrote to memory of 2624 2816 cmd.exe 37 PID 2816 wrote to memory of 2624 2816 cmd.exe 37 PID 2816 wrote to memory of 2624 2816 cmd.exe 37 PID 2816 wrote to memory of 2624 2816 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe"C:\Users\Admin\AppData\Local\Temp\b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3572.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2716
-
-
C:\Users\Admin\AppData\Roaming\calc.exe"C:\Users\Admin\AppData\Roaming\calc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD578d1b5b9c41d6f5218997456d264f695
SHA17e9ef405b8dfcc45f55cbfa737abecc999fefa7d
SHA25607d43faef6f1b22d2bf23dfa697f6e21c1dfdc769338776ffe9094cf2b3043ff
SHA512b37c655c785b9ed63908b793f7c40eae4ccc8f4a7d34e69cec0e8627f0ff39f3315c8620dcf3352cd844c563764f6572b373129ba0b113d7840b5d0f3b9fffdc
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
243KB
MD5d88a06a393582a79ab6da48982ec87ae
SHA1e5cc4271431fa138f4594847c20a5be3f6c919e4
SHA256b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537
SHA51241c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac