Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

ORDER#2532...8AC.js

windows7-x64

10

ORDER#2532...8AC.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER#25320789-408AC.js

  • Size

    563KB

  • MD5

    ab0dac9d1b9b83383dbc5d469d5fa1ae

  • SHA1

    b15b24f82ef0a07fce5b7c2735d8a8b46b547287

  • SHA256

    398e3d3d2ad8e2e91693c1682780d2352ebe962b67547af5c20735ae97ea94a9

  • SHA512

    66829799b8233f142aa1420f1e2dd4dfbdc3f2417279b12481d87612a0d97add61d819e58c369818ac201a4ba568e92d5fcd4b9ce17fb68332eeb5718f2f72fc

  • SSDEEP

    3072:MCAFTI3Ws7WZ4hRPhts7YRw7Xx5FzNM6x/P0UHD2yQ/ry:MCAFs3F7WZIhe7nbDIxu

Score
10/10
asyncratwshratmarch-25discoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    WindowsUpdate.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Wshrat family
    wshrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 27 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Script User-Agent 27 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER#25320789-408AC.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2636
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Users\Admin\AppData\Local\Temp\RDo.exe
        "C:\Users\Admin\AppData\Local\Temp\RDo.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B64.tmp.bat""
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:568
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2820
          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
            "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RDo.exe
    Filesize

    45KB

    MD5

    7e54eec2d10957178e6410ba1c899c21

    SHA1

    9f79b7ef7b24933b0b106a387fbf5834863dbc78

    SHA256

    d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8

    SHA512

    e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\adobe.js
    Filesize

    305KB

    MD5

    294f1f4ee9bd1a410379ccc7430c7a69

    SHA1

    02436fc31c5fa37c3735dcff0f450c20e302e7a2

    SHA256

    f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187

    SHA512

    8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp2B64.tmp.bat
    Filesize

    160B

    MD5

    d8b01d726de7e2bfc2e8f8fe2eb1e420

    SHA1

    2256a1fd802245bd7c37ab2b8f8b259b2c065ae7

    SHA256

    e815076d42b94ade4541ee10ad286880bce933b292922ea383997537929f5a6c

    SHA512

    44c596f9941957fcb37be5b0bbf58488f850458daa0f7b734dbc340156e5a6789c72bf7c26dc7f0bb9a77929c32b91c1d49984f11f3145142de6ec35bbad0000

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\word.js
    Filesize

    82KB

    MD5

    33d6e875441823e698ea8b8c4739dfd4

    SHA1

    a446695785e38522c923a5340e43c236ac332616

    SHA256

    32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce

    SHA512

    633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

    Download Submit

  • memory/996-34-0x0000000000910000-0x0000000000922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3004-20-0x0000000000F00000-0x0000000000F12000-memory.dmp

    Filesize

    72KB

    Download