Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Doc_168118...81.exe

windows7-x64

7

Doc_168118...81.exe

windows10-2004-x64

10

Doc_168118...81.exe

windows7-x64

7

Doc_168118...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc_16811806711348617673558987317572681097380136281.exe

  • Size

    1.1MB

  • MD5

    f5c33c21056d3ef62172fc876faad063

  • SHA1

    fb56e9043f19afdf49c61063ba30fe0ad72daf07

  • SHA256

    655c37dadba41474eb3447ff8b23e064e760013e7c84503f9eb25d21f8bd3ec3

  • SHA512

    aa29db436c336847d04b7317a1d8a4cd5c8335db1d2235fb3bb685a7907fcdd8cec8eca8f2818bdc8e1e61c5bf265978e692ffeef766a962a9b7406447afd3c6

  • SSDEEP

    24576:PMjhbhcgdHRQp+DKjHfEhZQntmXft63I3i43eOooZw:CpeuHhZ7Q3q1Zw

Score
10/10
asyncratdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

SapphireRAT v3.2.0

C2

iafinitd18jw3jdvhy4nhv.duckdns.org:15348

iafinitd18jw3jdvhy4nhv.duckdns.org:35981

iafinitd18jw3jdvhy4nhv.duckdns.org:42369
Mutex

cpyzzyzerqwbqvpuh

Attributes
  • delay

    1

  • install

    false

  • install_file

    %File%

  • install_folder

    %Folder%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to execute payload.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Users\Admin\AppData\Local\Temp\is-LGMIB.tmp\Doc_16811806711348617673558987317572681097380136281.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LGMIB.tmp\Doc_16811806711348617673558987317572681097380136281.tmp" /SL5="$8024A,695232,190976,C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe
        "C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe" /VERYSILENT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Users\Admin\AppData\Local\Temp\is-HAQMA.tmp\Doc_16811806711348617673558987317572681097380136281.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-HAQMA.tmp\Doc_16811806711348617673558987317572681097380136281.tmp" /SL5="$11016A,695232,190976,C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3080
          • C:\Windows\SysWOW64\regsvr32.exe
            "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\8dxgi.ocx"
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4656
            • C:\Windows\system32\regsvr32.exe
              /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\8dxgi.ocx"
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4636
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\8dxgi.ocx\"' }) { exit 0 } else { exit 1 }"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4752
              • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
                "PowerShell.exe" -NoProfile -NonInteractive -Command -
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1200
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\8dxgi.ocx\"' }) { exit 0 } else { exit 1 }"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4256
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\8dxgi.ocx"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\8dxgi.ocx\"' }) { exit 0 } else { exit 1 }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4904
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\8dxgi.ocx"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\8dxgi.ocx\"' }) { exit 0 } else { exit 1 }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:4108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    12c844ed8342738dacc6eb0072c43257

    SHA1

    b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

    SHA256

    2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

    SHA512

    e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c8c29f1f588816cb69fcebf642891720

    SHA1

    968d91f771b5e235c91952025509479c4456b44e

    SHA256

    2e1d2b0a86abe46d40843dbc522f6c9891671b21c1ac61e21d32f7245a93eb8b

    SHA512

    6b19696757654762ec551388c04142d4404892314c3e8a811b3260834dd6110b57be9aa4a0497ff579a4936c91cbdfbf7a938f676ee24e7476ecdd1b668cac3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f9c1bdaf442de98db929dbbffe07f50a

    SHA1

    f3c153ec59bd6a56b1041a7fa464621fe7fc59bb

    SHA256

    dd496968153718a44063dbc4e9662fedb2e872a53965f22944caa1358121a0aa

    SHA512

    2349fba651e63c2f45b16d2f2b7739afb6d7f4fa5625d9797733c4a15a827a5a344388de704f2d8326a442b75cbbb2841997372592b9bd188e2685e76ec311b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d876732bbd3f6c9cf9e2be236480e367

    SHA1

    8f2dd87515f7bcf62cc89a8a27cc4fa7817e0823

    SHA256

    a4cea038e351c82952d795d84b29fc3e92680560d881bb86fe9dfbc4658dd9d0

    SHA512

    375217306f3de9bf02548db09efba9065b84314a1ddecba022613f9502a3302c3e7a800561253c8a2b6bfade0f5f8dd5c5a1ad4e58e45c613965c4564bfb14ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cx0jtez0.qbl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-LGMIB.tmp\Doc_16811806711348617673558987317572681097380136281.tmp
    Filesize

    1.2MB

    MD5

    5824259f69c4ece6cc28a81c9dec3abe

    SHA1

    6c4d89700e5c396407ec074331a6028e90a21ba4

    SHA256

    25d874689683f19a474590bc869bb9abcdc7472393fc57344f1a24bda05a4fc0

    SHA512

    0f19b9aeda82acab6d2c48612b30ff3f1d533d033dfac011c5c81c113f0139a8cc99a756b2105df334fdcd02cf38b16ef79ccc002ae1eff096fa4119d0273477

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-QKV61.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8dxgi.ocx
    Filesize

    1.2MB

    MD5

    8489f0b3c714542bd3aba532a16728ba

    SHA1

    3e51def0437bf4465a1852ec2148e401fc999fd3

    SHA256

    d1ddcd8b4c506f3af24f6ee63209de1342b1a5b29a73d8baadfea8d087daf940

    SHA512

    721cd16e7f7a9bb0a020f3f2849aa1f3e7de4abf1db1f7da307fab9a6b74d8d9db52353a7c5b988fe300bc589f218d81513ad726d7f6cba078b55cb009d60a7c

    Download Submit

  • memory/1776-100-0x00007FFD75DE0000-0x00007FFD75F17000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2116-16-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2116-14-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2116-41-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2496-18-0x0000000000400000-0x0000000000534000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2496-7-0x0000000000400000-0x0000000000534000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3080-37-0x0000000000400000-0x0000000000534000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3080-28-0x0000000000400000-0x0000000000534000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3784-19-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3784-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3784-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4636-80-0x00007FFD75DE0000-0x00007FFD75F17000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4636-81-0x0000000002990000-0x00000000029A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4636-83-0x00007FFD75DE0000-0x00007FFD75F17000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4636-121-0x00007FFD75DE0000-0x00007FFD75F17000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4672-119-0x00007FFD75DE0000-0x00007FFD75F17000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4752-43-0x000001F8F4850000-0x000001F8F4872000-memory.dmp

    Filesize

    136KB

    Download