Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 08:15
Behavioral task
behavioral1
Sample
PO202503D.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PO202503D.xlsm
Resource
win10v2004-20250217-en
General
-
Target
PO202503D.xlsm
-
Size
36KB
-
MD5
7928d4da38767e17b693dc1c3b12376b
-
SHA1
b357c6211bbf9b463553d5137aac957fbd9b0868
-
SHA256
525dca66603ba93785836da140e8bf75d86a71ce828d30797171a3989e1dee51
-
SHA512
a3820c8bf86d3b29c781e28504e745d15e100a1e962c39f9f9d9185461f67233ef211c52b01c389b34fcc66876b22e22c122989c6a93ce885c3599f4650842ee
-
SSDEEP
768:hSfin4o5bHOKLIsbWyi14m1xMeJodBTFRiARLVgqKM2kqioUuV2SB:hSfiNbLRbjcBJo9RiCf3qiXuZ
Malware Config
Extracted
darkvision
myasyncrat.ddns.net
Signatures
-
DarkVision Rat
DarkVision Rat is a trojan written in C++.
-
Darkvision family
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3704 4364 7z.exe 84 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2768 4364 regsvr32.exe 84 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3696 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1140 PO202502DAKE.exe -
Loads dropped DLL 2 IoCs
pid Process 1140 PO202502DAKE.exe 1140 PO202502DAKE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO202502DAKE = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\SystemRootDoc\" \"C:\\Users\\Admin\\SystemRootDoc\\PO202502DAKE.exe\"" PO202502DAKE.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1140 set thread context of 4832 1140 PO202502DAKE.exe 101 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4364 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3696 powershell.exe 3696 powershell.exe 3696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 3704 7z.exe Token: 35 3704 7z.exe Token: SeSecurityPrivilege 3704 7z.exe Token: SeSecurityPrivilege 3704 7z.exe Token: SeDebugPrivilege 1140 PO202502DAKE.exe Token: SeDebugPrivilege 3696 powershell.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4364 wrote to memory of 3704 4364 EXCEL.EXE 95 PID 4364 wrote to memory of 3704 4364 EXCEL.EXE 95 PID 4364 wrote to memory of 2768 4364 EXCEL.EXE 97 PID 4364 wrote to memory of 2768 4364 EXCEL.EXE 97 PID 4364 wrote to memory of 1140 4364 EXCEL.EXE 98 PID 4364 wrote to memory of 1140 4364 EXCEL.EXE 98 PID 1140 wrote to memory of 3696 1140 PO202502DAKE.exe 100 PID 1140 wrote to memory of 3696 1140 PO202502DAKE.exe 100 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101 PID 1140 wrote to memory of 4832 1140 PO202502DAKE.exe 101
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO202503D.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\Admin\AppData\Local\Temp\invoice_temp\" "C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip"2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\invoice_temp\vcruntime210.dll"2⤵
- Process spawned unexpected child process
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe"C:\Users\Admin\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\SystemRootDoc' -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"3⤵PID:4832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD5fd3c8166e7fbbb64d12c1170b8f4bacf
SHA1dc8d7acb3f6dfd990f20ec02675c5d92fd674428
SHA256a52e245dd7937094711b10c479274a2cccea2dfb89f7d4c9f22879214718f92b
SHA5127caf92d9d44e0e6026cd9115c8c6f3026e5074adfe27af353ad9a6a780bdbd5d07cc0a93c16cc8ca4cc08fe11cf116cd0a6e14ad4af80d550cf71085a853fad5
-
Filesize
1.9MB
MD5427568b60bc14283e2bae0c4aff1775d
SHA11c7f0a258ab9e8883df9eed025ef14db6fb913d5
SHA256e32d30e690548e5727082538d480cc378644db1c98cce3a063f69569d7fd60b2
SHA51251b76747aee8438147451d85470be13bc6b6e10803565d2b5a0b77e826cda6c87505db33185252c058c77ac7c2e2fd4daf4fae01b295fe6cf447040088594426
-
Filesize
1.9MB
MD549abecb8967a527f3f8b5493f0f82820
SHA131b535360199e41ae87111b36f9ef97977b3d9c6
SHA25617f1ca60b529a4617fdd64bdf686b78f704abbe6d19b69c109bffd352ac9503c
SHA512614593697a2acd897331595cc56164601528c03be6966aa599e2f541276ea71fdcc547195534119904da921b5fa9f8c5e14777c126aa6827be57b2b406d19be4
-
Filesize
1.8MB
MD5e0d6e35a1b29a6dded46532ea4331ef9
SHA1be78ee87b098d864eb55a462e09dcf6a137facdd
SHA256c3199ea2ea2f310180cf52f835b7534d12df3ab1a7b695259b35e3bf411cfb56
SHA512124dcaabb16eb4d521bc3eeb08dbbd45c9eb750e11f67a0654903a0b62e19875832706b4ebb619c2cca3b68d88e47edd4c63079b0b788ea723bf10b3a5ec0298
-
Filesize
453KB
MD5b5f2411d0ab5cfbec4de2b5292ce34d2
SHA114c455a55bc0a32572ff24362fa176c61abd8be7
SHA2567f49b5cb029653dee44791f5309830e94c03a3e4da53bffa03192e48ab5bcbc9
SHA51292201c5663f3b77aa97d512cc7810b6dab2243457bc7d0bf648589eacddfb8790aaba45e3826cd57edcfba5fca5212028ef8ef512f903b929a7fe29481541b9a
-
Filesize
1KB
MD50e73abcdf363b934cb65da5ecc71233c
SHA11e3c77c3f091bdf7ce1e9edacd5dd733bcb3948a
SHA25645edcd7e15993dc3bde1cbbb3f2926cc6fabc45390eebd17c730e60ab13707b5
SHA5121d09d77b46c510c2641548aefb799326c68a15a80436ca1fba8638fa8c0ac50469b01303eadbd5406dae63c5c2f39c52a99e6238b1edfbb2c9ac1f77962cd29e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5f369d94d71bba4f15293599bddaad42b
SHA16a32ad6cf50e01a63ecf049a7e3c30931dc61078
SHA256b7efaba540822e71ecc1c7c32a0360777cf5eab8349150c51e4869b30749de3e
SHA512c42461e894480311e38f0a2f963c807b7d5efbd238862d20f2bf440f5138a0d0d43b42714de2100f8f5374d2930f199f98049ddb574dfe9a2186a48971619017