Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10cdnmain/Exela.exe
windows10-ltsc 2021-x64
10cdnmain/Exela.exe
windows11-21h2-x64
10Stub.pyc
windows10-ltsc 2021-x64
3Stub.pyc
windows11-21h2-x64
3cdnmain/chrome.exe
windows10-ltsc 2021-x64
10cdnmain/chrome.exe
windows11-21h2-x64
10cdnmain/cl...st.exe
windows10-ltsc 2021-x64
1cdnmain/cl...st.exe
windows11-21h2-x64
1cdnmain/ef.exe
windows10-ltsc 2021-x64
10cdnmain/ef.exe
windows11-21h2-x64
10cdnmain/libsodium.dll
windows10-ltsc 2021-x64
1cdnmain/libsodium.dll
windows11-21h2-x64
1cdnmain/sqlite3.dll
windows10-ltsc 2021-x64
1cdnmain/sqlite3.dll
windows11-21h2-x64
1cdnmain/vc...40.dll
windows10-ltsc 2021-x64
1cdnmain/vc...40.dll
windows11-21h2-x64
1cdnmain/verif.exe
windows10-ltsc 2021-x64
1cdnmain/verif.exe
windows11-21h2-x64
1Analysis
-
max time kernel
112s -
max time network
129s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/03/2025, 16:59
Behavioral task
behavioral1
Sample
cdnmain/Exela.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral2
Sample
cdnmain/Exela.exe
Resource
win11-20250217-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win11-20250217-en
Behavioral task
behavioral5
Sample
cdnmain/chrome.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral6
Sample
cdnmain/chrome.exe
Resource
win11-20250217-en
Behavioral task
behavioral7
Sample
cdnmain/cloudflare_whitelist.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral8
Sample
cdnmain/cloudflare_whitelist.exe
Resource
win11-20250217-en
Behavioral task
behavioral9
Sample
cdnmain/ef.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral10
Sample
cdnmain/ef.exe
Resource
win11-20250217-en
Behavioral task
behavioral11
Sample
cdnmain/libsodium.dll
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral12
Sample
cdnmain/libsodium.dll
Resource
win11-20250217-en
Behavioral task
behavioral13
Sample
cdnmain/sqlite3.dll
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral14
Sample
cdnmain/sqlite3.dll
Resource
win11-20250218-en
Behavioral task
behavioral15
Sample
cdnmain/vcruntime140.dll
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral16
Sample
cdnmain/vcruntime140.dll
Resource
win11-20250217-en
Behavioral task
behavioral17
Sample
cdnmain/verif.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral18
Sample
cdnmain/verif.exe
Resource
win11-20250217-en
General
-
Target
cdnmain/ef.exe
-
Size
54KB
-
MD5
0ed9406036832e40f6ace06478acdf44
-
SHA1
9a3ca883ec34bdfd1c21c61c6ca6d03c5365fa6e
-
SHA256
452e3305df1bf06c79301b9b87de1ec82561a793c4ef4ea5a02803123891b9f6
-
SHA512
9de32c71a4657d3e9ebd01fd1d933fd44b23c99809bbd0c8c423dcf8436d8c3f81e390ec34df8fb2e5a3a28974c864750ceaeb65693c04b1c5a1f8134eca69a5
-
SSDEEP
1536:de/mS9oEXN9p7aNJahXy4zGuH4XlqJaAIT+7bqhyX9qZ:d+mSawsLawqGMolq07i7bqMX9W
Malware Config
Extracted
asyncrat
1.0.7
Default
2.58.56.179:2035
r4ttlesn4ke_ufog3f8u3egef978
-
delay
1
-
install
true
-
install_file
Chrome.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral10/files/0x001d00000002ad2b-7.dat family_asyncrat -
Executes dropped EXE 2 IoCs
pid Process 1600 chrome.exe 4264 Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2592 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe 1600 chrome.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1600 chrome.exe Token: SeDebugPrivilege 4264 Chrome.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3732 wrote to memory of 1600 3732 ef.exe 82 PID 3732 wrote to memory of 1600 3732 ef.exe 82 PID 1600 wrote to memory of 1708 1600 chrome.exe 83 PID 1600 wrote to memory of 1708 1600 chrome.exe 83 PID 1600 wrote to memory of 4120 1600 chrome.exe 85 PID 1600 wrote to memory of 4120 1600 chrome.exe 85 PID 4120 wrote to memory of 2592 4120 cmd.exe 88 PID 4120 wrote to memory of 2592 4120 cmd.exe 88 PID 1708 wrote to memory of 4512 1708 cmd.exe 87 PID 1708 wrote to memory of 4512 1708 cmd.exe 87 PID 4120 wrote to memory of 4264 4120 cmd.exe 89 PID 4120 wrote to memory of 4264 4120 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdnmain\ef.exe"C:\Users\Admin\AppData\Local\Temp\cdnmain\ef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2592
-
-
C:\Users\Admin\AppData\Roaming\Chrome.exe"C:\Users\Admin\AppData\Roaming\Chrome.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5de75c43a265d0848584ae05945570edf
SHA169f95177914f8d8b2f278a91f585a0024b8dffd3
SHA256d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140
SHA512365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc
-
Filesize
48KB
MD5560316acf1e4be6ee63f609da37e71b5
SHA15f22dcf7736356e24b92397162acb723010914fb
SHA25644d97fbdb694ca55e3beec4ec031ef5162018bdbaff6a968ac25a21e078511b0
SHA51238d185d48cf537162ef8302df31cdf723d7407765f21284492345cae914d38ec9e3a6cfee0080b5ff9ebef29f7ac54a505ea2e6fea5d65a60c4e6e1e67fb3361
-
Filesize
150B
MD58467c56629b1bcb88212bdad2de927a3
SHA139bb782650fce3eb297bcd2bef6713ce50ae3e51
SHA256a5166966dba898c339eaefc6c8ec362e98a3f201481891ca217cb06ac9567782
SHA5125f4d4a4645ca1cd46f0751a4242b3c5ee6ddd885ad6c898429e29ba3185df7fd22b3231aea7993c2e09b8d9d2b28f75b6e94b2541a974cf7cfa13e9bb5615f4a