Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10cdnmain/Exela.exe
windows10-ltsc 2021-x64
10cdnmain/Exela.exe
windows11-21h2-x64
10Stub.pyc
windows10-ltsc 2021-x64
3Stub.pyc
windows11-21h2-x64
3cdnmain/chrome.exe
windows10-ltsc 2021-x64
10cdnmain/chrome.exe
windows11-21h2-x64
10cdnmain/cl...st.exe
windows10-ltsc 2021-x64
1cdnmain/cl...st.exe
windows11-21h2-x64
1cdnmain/ef.exe
windows10-ltsc 2021-x64
10cdnmain/ef.exe
windows11-21h2-x64
10cdnmain/libsodium.dll
windows10-ltsc 2021-x64
1cdnmain/libsodium.dll
windows11-21h2-x64
1cdnmain/sqlite3.dll
windows10-ltsc 2021-x64
1cdnmain/sqlite3.dll
windows11-21h2-x64
1cdnmain/vc...40.dll
windows10-ltsc 2021-x64
1cdnmain/vc...40.dll
windows11-21h2-x64
1cdnmain/verif.exe
windows10-ltsc 2021-x64
1cdnmain/verif.exe
windows11-21h2-x64
1Analysis
-
max time kernel
39s -
max time network
49s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
10/03/2025, 16:59
Behavioral task
behavioral1
Sample
cdnmain/Exela.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral2
Sample
cdnmain/Exela.exe
Resource
win11-20250217-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win11-20250217-en
Behavioral task
behavioral5
Sample
cdnmain/chrome.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral6
Sample
cdnmain/chrome.exe
Resource
win11-20250217-en
Behavioral task
behavioral7
Sample
cdnmain/cloudflare_whitelist.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral8
Sample
cdnmain/cloudflare_whitelist.exe
Resource
win11-20250217-en
Behavioral task
behavioral9
Sample
cdnmain/ef.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral10
Sample
cdnmain/ef.exe
Resource
win11-20250217-en
Behavioral task
behavioral11
Sample
cdnmain/libsodium.dll
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral12
Sample
cdnmain/libsodium.dll
Resource
win11-20250217-en
Behavioral task
behavioral13
Sample
cdnmain/sqlite3.dll
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral14
Sample
cdnmain/sqlite3.dll
Resource
win11-20250218-en
Behavioral task
behavioral15
Sample
cdnmain/vcruntime140.dll
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral16
Sample
cdnmain/vcruntime140.dll
Resource
win11-20250217-en
Behavioral task
behavioral17
Sample
cdnmain/verif.exe
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral18
Sample
cdnmain/verif.exe
Resource
win11-20250217-en
General
-
Target
cdnmain/chrome.exe
-
Size
48KB
-
MD5
560316acf1e4be6ee63f609da37e71b5
-
SHA1
5f22dcf7736356e24b92397162acb723010914fb
-
SHA256
44d97fbdb694ca55e3beec4ec031ef5162018bdbaff6a968ac25a21e078511b0
-
SHA512
38d185d48cf537162ef8302df31cdf723d7407765f21284492345cae914d38ec9e3a6cfee0080b5ff9ebef29f7ac54a505ea2e6fea5d65a60c4e6e1e67fb3361
-
SSDEEP
768:+BUQgNIL4+M0+LiPLKjwiT8Ybrge09FvEgK/Jw8Vc6KN:+B1gjsPLKTzbUxznkJw8VclN
Malware Config
Extracted
asyncrat
1.0.7
Default
2.58.56.179:2035
r4ttlesn4ke_ufog3f8u3egef978
-
delay
1
-
install
true
-
install_file
Chrome.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral5/files/0x000d000000027c4b-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 1 IoCs
pid Process 1340 Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4044 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe 1724 chrome.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1724 chrome.exe Token: SeDebugPrivilege 1340 Chrome.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1724 wrote to memory of 4848 1724 chrome.exe 84 PID 1724 wrote to memory of 4848 1724 chrome.exe 84 PID 1724 wrote to memory of 3992 1724 chrome.exe 86 PID 1724 wrote to memory of 3992 1724 chrome.exe 86 PID 4848 wrote to memory of 444 4848 cmd.exe 88 PID 4848 wrote to memory of 444 4848 cmd.exe 88 PID 3992 wrote to memory of 4044 3992 cmd.exe 89 PID 3992 wrote to memory of 4044 3992 cmd.exe 89 PID 3992 wrote to memory of 1340 3992 cmd.exe 92 PID 3992 wrote to memory of 1340 3992 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdnmain\chrome.exe"C:\Users\Admin\AppData\Local\Temp\cdnmain\chrome.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4044
-
-
C:\Users\Admin\AppData\Roaming\Chrome.exe"C:\Users\Admin\AppData\Roaming\Chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5822f6384df6d1671168631e912dd7a4c
SHA1972aacac112d14ea63c9d33b57ecd402e67a5f19
SHA2565f50faf2e5bbac2ce5423530952c977e965d60dfb6920a5cce5a707bac630bc4
SHA5123c03b3c90b551c7febce56406b48e5e4022e7128bfd3a283ec0e3dd952575649af3428b514fb8a312358eb643d3a4f3f4f747a16c29b8863f5367fffe11a9fbf
-
Filesize
150B
MD5eba00d08e792dc34afc75d53942d590e
SHA1a3552737a9b1f28adcf228a7853450f75ef07018
SHA2568758046bad501bd0f0086c31829b6b983d5004152308b8bfd63357ad16d5208e
SHA512f35a432b8f8394b87e93314636650639dacae23799a5fed5e899fc9a5aac479cec33ef81b45f78697c8cc47dd10f138a86ebe0065d0eb93f6b738eed287657fb
-
Filesize
48KB
MD5560316acf1e4be6ee63f609da37e71b5
SHA15f22dcf7736356e24b92397162acb723010914fb
SHA25644d97fbdb694ca55e3beec4ec031ef5162018bdbaff6a968ac25a21e078511b0
SHA51238d185d48cf537162ef8302df31cdf723d7407765f21284492345cae914d38ec9e3a6cfee0080b5ff9ebef29f7ac54a505ea2e6fea5d65a60c4e6e1e67fb3361