Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
303s -
max time network
305s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 13:10
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win10v2004-20250217-en
Errors
General
-
Target
AsyncClient.exe
-
Size
47KB
-
MD5
f9253eafbd6718a759325e873cf8f6b8
-
SHA1
7cdd0ccbf4940d255952996a444c5d4fd928eb1a
-
SHA256
8f0f590c8a0d635016a9c1464d099c8eda20eed012fe4f6ee6bb117d92fa2c7b
-
SHA512
b47d2449fa76f62128d5a918db882e0de3c46f4fad2a3302175d778519b32bb1871d41a249b169bd26215ef4330a67da85ebfe27b68be11337d7adb736306cc6
-
SSDEEP
768:NuI1tT/w70kWUquzumo2qzhcWItdiBWmPI86Fr/0bJtzKQFmGcQ6BwKmayBDZYx:NuI1tT/kW2acWrBY8YcbJtzK275VdYx
Malware Config
Extracted
asyncrat
0.5.8
Steam
77.100.63.251:5631
P1D9ySnUAXPA
-
delay
3
-
install
false
-
install_file
Steam.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "19" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3840 AsyncClient.exe Token: SeShutdownPrivilege 4740 shutdown.exe Token: SeRemoteShutdownPrivilege 4740 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3516 LogonUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3840 wrote to memory of 4772 3840 AsyncClient.exe 114 PID 3840 wrote to memory of 4772 3840 AsyncClient.exe 114 PID 3840 wrote to memory of 4772 3840 AsyncClient.exe 114 PID 4772 wrote to memory of 4740 4772 cmd.exe 116 PID 4772 wrote to memory of 4740 4772 cmd.exe 116 PID 4772 wrote to memory of 4740 4772 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /r /f /t 002⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\shutdown.exeShutdown /r /f /t 003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa390f055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3516