Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 17:51

General

  • Target

    1337.exe

  • Size

    24.3MB

  • MD5

    124d9ebd081fe16de958304349b59316

  • SHA1

    e2770e0cd44041e9ce91e77da2c7f56d04654ef3

  • SHA256

    50a1656f6cca2b5a9810f6a70352cf56d5ab156e80752a68f49e968460a634b1

  • SHA512

    49fcf668108b7b472bdec5261125c14e3e24251eb6b906b3bca4bf87a6333e7c1e6aec62c40a11ab975c5e4d3c750ca55cf5ef093a8f5ce7aaa70b477ab9ea9e

  • SSDEEP

    393216:QvKOA+h/KlqTs0jCaQBdzqLx0HQkGN3zFlfje6f4gXBNobFF6V44uS4SbO:Qi5+h/Kl3MVy9GxGGNjbP4g3oMV4E41

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

INC

Mutex

lwosqqqkziedfsbxxgh

Attributes
  • c2_url_file

    https://paste.ee/r/SvRLFmbW/0

  • delay

    1

  • install

    true

  • install_file

    System.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • VenomRAT 3 IoCs

    Detects VenomRAT.

  • Venomrat family
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1337.exe
    "C:\Users\Admin\AppData\Local\Temp\1337.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbAB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdgBhACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Users\Admin\AppData\Roaming\MinuteRise.exe
      "C:\Users\Admin\AppData\Roaming\MinuteRise.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c pause
        3⤵
          PID:2668
      • C:\Users\Admin\AppData\Roaming\bodrumblock.exe
        "C:\Users\Admin\AppData\Roaming\bodrumblock.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1080
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8FF0.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:1684
          • C:\Users\Admin\AppData\Roaming\System.exe
            "C:\Users\Admin\AppData\Roaming\System.exe"
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      71KB

      MD5

      83142242e97b8953c386f988aa694e4a

      SHA1

      833ed12fc15b356136dcdd27c61a50f59c5c7d50

      SHA256

      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

      SHA512

      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    • C:\Users\Admin\AppData\Local\Temp\Tar98CD.tmp

      Filesize

      183KB

      MD5

      109cab5505f5e065b63d01361467a83b

      SHA1

      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

      SHA256

      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

      SHA512

      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    • C:\Users\Admin\AppData\Local\Temp\tmp8FF0.tmp.bat

      Filesize

      150B

      MD5

      1b10d5cc865c9a5e0735b5436efcae9c

      SHA1

      920c60c63cd59555e34b850b133a95ab6c1495cb

      SHA256

      fae4cf63c105e4ee2e96b20ee888b88654c75c41ee25282308fa08ebadc4b9c3

      SHA512

      99956938c58df661f923020bf1350e26528bf98a1e8da1f590cdfa4544c2819bcd45eb62a9124ed051a5e2f42493699bdd2da9b59676c2097b152775ea023ceb

    • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

      Filesize

      8B

      MD5

      cf759e4c5f14fe3eec41b87ed756cea8

      SHA1

      c27c796bb3c2fac929359563676f4ba1ffada1f5

      SHA256

      c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

      SHA512

      c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    • C:\Users\Admin\AppData\Roaming\bodrumblock.exe

      Filesize

      74KB

      MD5

      e830512d5396d46e4096ee5e77000346

      SHA1

      5166598d44af9a175df751f8b05fa03ac75eb564

      SHA256

      3a801e25820e80e07bc406d3e2a4758c27e8914fff70163923b802531d59a894

      SHA512

      c145ed988a0eae611f848cb546fce5a10d8e75afb020c58c0381142b9a76c7d54f1d38652a4838886567397a8d60e35789cef707a86d6c1d19da0c6337150e9e

    • \Users\Admin\AppData\Roaming\MinuteRise.exe

      Filesize

      24.2MB

      MD5

      ecae486dc6bd0a98d2ddcafb1f31234b

      SHA1

      9946585e084aa83595224ffdbb6309652688e83c

      SHA256

      b374f8110f763d82d7c9c810fb56143b368cdc653015fa8476371dafff5f5cc5

      SHA512

      4b5cd0f97d087dc4c28633ba02fa2d70d003773de98bbe9a58a2b4e62a14b99231f31ab51a59e7030d7f39857538303fafa6fc8953810c3837ffe02c51c8e407

    • memory/616-117-0x0000000000F50000-0x0000000000F68000-memory.dmp

      Filesize

      96KB

    • memory/2464-18-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

      Filesize

      9.9MB

    • memory/2464-1-0x00000000010C0000-0x0000000002918000-memory.dmp

      Filesize

      24.3MB

    • memory/2464-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

      Filesize

      4KB

    • memory/2464-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

      Filesize

      9.9MB

    • memory/2756-21-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

    • memory/2756-20-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

      Filesize

      2.9MB

    • memory/2756-13-0x0000000002C00000-0x0000000002C80000-memory.dmp

      Filesize

      512KB

    • memory/2848-19-0x0000000000C70000-0x0000000000C88000-memory.dmp

      Filesize

      96KB

    • memory/3044-37-0x00000000773B0000-0x00000000773B2000-memory.dmp

      Filesize

      8KB

    • memory/3044-42-0x00000000773E0000-0x00000000773E2000-memory.dmp

      Filesize

      8KB

    • memory/3044-43-0x0000000140000000-0x00000001427BB000-memory.dmp

      Filesize

      39.7MB

    • memory/3044-40-0x00000000773E0000-0x00000000773E2000-memory.dmp

      Filesize

      8KB

    • memory/3044-38-0x00000000773E0000-0x00000000773E2000-memory.dmp

      Filesize

      8KB

    • memory/3044-35-0x00000000773B0000-0x00000000773B2000-memory.dmp

      Filesize

      8KB

    • memory/3044-33-0x00000000773B0000-0x00000000773B2000-memory.dmp

      Filesize

      8KB