Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
-
submitted
01/01/2023, 04:29
General
-
Target
Steam Checker By abbadon/config/Config.bat
-
Size
264B
-
MD5
443439b6d74924824b35ee2fe65af7e7
-
SHA1
c94233394c85c86ea0f1d658a32e5ab27f60730f
-
SHA256
74d98354b2cf545581931fef42a42e8fc3298b236f6536cc31fa821f31b4e6da
-
SHA512
98b28b6546e3fd3fbf89895c21ff6b7d93568559433addc4be238825a11445a2496c90a872f10e0b316fdaf07ee0ccbf4054d7c5483456ecbda36154b879f1be
Malware Config
Extracted
asyncrat
1.0.7
C
185.81.157.169:2023
7G6ZCBCA-NJ11-YS93-65bg-CX918E7238D5
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 7 IoCs
-
Executes dropped EXE 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\Config.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users" -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\MicrosoftEdgeUpdates\EdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe" /RL HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\SystemUpdates\SysUpdate" /tr "C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe" /RL HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\SystemUpdates2⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File CopyTo.PS12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C2.PS12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B820CF15-A04E-4592-8D83-67FD4A5FBA9C} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exeC:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exeC:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5492bd942c673806c4dc7d076d44a06de
SHA1ace44cc6d1f875aa1b58c2c0c51901f9c11b0221
SHA25630e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00
SHA5128a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f
-
Filesize
15KB
MD5492bd942c673806c4dc7d076d44a06de
SHA1ace44cc6d1f875aa1b58c2c0c51901f9c11b0221
SHA25630e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00
SHA5128a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f
-
Filesize
7KB
MD57d172571a5b9f521b5e6baced6fdbf84
SHA19687c81e5906ab2b0b5bf3475bc3cac251838dba
SHA25659d68478b08bb04fb8855b8376d2d9cc2ca2b04bcfb0e3258a1e60a9e260aaed
SHA512f1c3df2978a2197d0a56c4f5085ab853c191253cd990722c6b5f091b351ad936b470d16ed0675a2c708a0041ad9dbdc43bbcc2adc4468272ffc7114706ba4d1a
-
Filesize
7KB
MD57d172571a5b9f521b5e6baced6fdbf84
SHA19687c81e5906ab2b0b5bf3475bc3cac251838dba
SHA25659d68478b08bb04fb8855b8376d2d9cc2ca2b04bcfb0e3258a1e60a9e260aaed
SHA512f1c3df2978a2197d0a56c4f5085ab853c191253cd990722c6b5f091b351ad936b470d16ed0675a2c708a0041ad9dbdc43bbcc2adc4468272ffc7114706ba4d1a
-
Filesize
7KB
MD57d172571a5b9f521b5e6baced6fdbf84
SHA19687c81e5906ab2b0b5bf3475bc3cac251838dba
SHA25659d68478b08bb04fb8855b8376d2d9cc2ca2b04bcfb0e3258a1e60a9e260aaed
SHA512f1c3df2978a2197d0a56c4f5085ab853c191253cd990722c6b5f091b351ad936b470d16ed0675a2c708a0041ad9dbdc43bbcc2adc4468272ffc7114706ba4d1a
-
Filesize
242KB
MD5640d55589c839016931890b47305d638
SHA1bf5062f9c16a3966abe3e7dbb083f539f1b38126
SHA2566dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689
SHA512da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa
-
Filesize
242KB
MD5640d55589c839016931890b47305d638
SHA1bf5062f9c16a3966abe3e7dbb083f539f1b38126
SHA2566dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689
SHA512da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa
-
Filesize
242KB
MD5640d55589c839016931890b47305d638
SHA1bf5062f9c16a3966abe3e7dbb083f539f1b38126
SHA2566dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689
SHA512da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
68KB
-
Filesize
264KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
124KB
-
Filesize
3.0MB
-
Filesize
8KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
40KB
-
Filesize
256KB
-
Filesize
40KB
-
Filesize
264KB