Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...52.dll

windows7-x64

1

Steam Chec...52.dll

windows10-2004-x64

1

Steam Chec...me.dll

windows7-x64

1

Steam Chec...me.dll

windows10-2004-x64

1

Steam Chec...in.dll

windows7-x64

1

Steam Chec...in.dll

windows10-2004-x64

1

Steam Chec...gn.dll

windows7-x64

1

Steam Chec...gn.dll

windows10-2004-x64

1

Steam Chec...ts.dll

windows7-x64

1

Steam Chec...ts.dll

windows10-2004-x64

1

Steam Chec...rk.dll

windows7-x64

1

Steam Chec...rk.dll

windows10-2004-x64

1

Steam Chec....0.dll

windows7-x64

1

Steam Chec....0.dll

windows10-2004-x64

1

Steam Chec...on.dll

windows7-x64

1

Steam Chec...on.dll

windows10-2004-x64

1

Steam Chec...on.exe

windows7-x64

10

Steam Chec...on.exe

windows10-2004-x64

10

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...en.dll

windows7-x64

1

Steam Chec...en.dll

windows10-2004-x64

1

Steam Chec...ig.bat

windows7-x64

10

Steam Chec...ig.bat

windows10-2004-x64

10

Steam Chec...C2.ps1

windows7-x64

1

Steam Chec...C2.ps1

windows10-2004-x64

1

Steam Chec...To.ps1

windows7-x64

1

Steam Chec...To.ps1

windows10-2004-x64

1

Steam Chec...rk.bat

windows7-x64

10

Steam Chec...rk.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    01/01/2023, 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Steam Checker By abbadon/config/Config.bat

  • Size

    264B

  • MD5

    443439b6d74924824b35ee2fe65af7e7

  • SHA1

    c94233394c85c86ea0f1d658a32e5ab27f60730f

  • SHA256

    74d98354b2cf545581931fef42a42e8fc3298b236f6536cc31fa821f31b4e6da

  • SHA512

    98b28b6546e3fd3fbf89895c21ff6b7d93568559433addc4be238825a11445a2496c90a872f10e0b316fdaf07ee0ccbf4054d7c5483456ecbda36154b879f1be

Score
10/10
asyncratcrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

C

C2

185.81.157.169:2023

Mutex

7G6ZCBCA-NJ11-YS93-65bg-CX918E7238D5

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\Config.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\Users" -force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4300
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Microsoft\MicrosoftEdgeUpdates\EdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe" /RL HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4372
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Microsoft\SystemUpdates\SysUpdate" /tr "C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe" /RL HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3360
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates
      2⤵
      • Views/modifies file attributes
      PID:520
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\SystemUpdates
      2⤵
      • Views/modifies file attributes
      PID:1236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File CopyTo.PS1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C2.PS1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5028
  • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
    C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: AddClipboardFormatListener
    PID:2720
  • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
    C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:4720
    • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:4672

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SystemUpdates.exe.log
        Filesize

        1KB

        MD5

        bfff6869253ff041b2b0be465df8bad1

        SHA1

        d87fbcb54700714919232c4236fa4bb6df589797

        SHA256

        889e9627d5df84d62c212051b683081e2852a5f6f8de17bf046ccf91b8b2d84d

        SHA512

        f4bb23a3805b65b825f1a1a954b807fed0c5f8b9f830e045efb3fe86200bccb52a4c41fe954ddf3c653afd5a31c1ead2785e67d39799e0bcad2a52a94b895a29

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        feadc4e1a70c13480ef147aca0c47bc0

        SHA1

        d7a5084c93842a290b24dacec0cd3904c2266819

        SHA256

        5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

        SHA512

        c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        96ff1ee586a153b4e7ce8661cabc0442

        SHA1

        140d4ff1840cb40601489f3826954386af612136

        SHA256

        0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

        SHA512

        3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        9ff30441e8e4b83e72e0070113d0cb21

        SHA1

        d6858187a709132a45784f508197a814946ab485

        SHA256

        63684432f113d9274f4e6df0713727b9f923f25640b247a94944ba6e78d56b2e

        SHA512

        6d0506336260bb692e3dfe8a6367718e8047ba425ba1eb089bcfb95c3fd9a4fdeae50d2ef103d4b32f20333b5592cd4bc3f95d75383a999b0ad459164a2242ef

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
        Filesize

        15KB

        MD5

        492bd942c673806c4dc7d076d44a06de

        SHA1

        ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

        SHA256

        30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

        SHA512

        8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
        Filesize

        15KB

        MD5

        492bd942c673806c4dc7d076d44a06de

        SHA1

        ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

        SHA256

        30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

        SHA512

        8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        Filesize

        242KB

        MD5

        640d55589c839016931890b47305d638

        SHA1

        bf5062f9c16a3966abe3e7dbb083f539f1b38126

        SHA256

        6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

        SHA512

        da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        Filesize

        242KB

        MD5

        640d55589c839016931890b47305d638

        SHA1

        bf5062f9c16a3966abe3e7dbb083f539f1b38126

        SHA256

        6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

        SHA512

        da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        Filesize

        242KB

        MD5

        640d55589c839016931890b47305d638

        SHA1

        bf5062f9c16a3966abe3e7dbb083f539f1b38126

        SHA256

        6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

        SHA512

        da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

        Download Submit

      • memory/2340-159-0x0000000000F30000-0x0000000000F72000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2340-163-0x00000000060A0000-0x000000000613C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2720-162-0x0000000004E30000-0x0000000004E3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2720-161-0x0000000004E50000-0x0000000004EE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2720-160-0x0000000005520000-0x0000000005AC4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2720-158-0x0000000000480000-0x000000000048A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3640-135-0x00000153BD440000-0x00000153BD450000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3640-133-0x00000153D7690000-0x00000153D7712000-memory.dmp

        Filesize

        520KB

        Download

      • memory/3640-138-0x00007FFC08F50000-0x00007FFC09A11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3640-137-0x00007FFC08F50000-0x00007FFC09A11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3640-136-0x00000153D7930000-0x00000153D7A32000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3640-134-0x00000153D7630000-0x00000153D7652000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3892-150-0x00007FFC08F50000-0x00007FFC09A11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4300-142-0x00007FFC08F50000-0x00007FFC09A11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4300-143-0x00007FFC08F50000-0x00007FFC09A11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4720-165-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4720-166-0x0000000005340000-0x0000000005442000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5028-153-0x00007FFC08F50000-0x00007FFC09A11000-memory.dmp

        Filesize

        10.8MB

        Download