Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...52.dll

windows7-x64

1

Steam Chec...52.dll

windows10-2004-x64

1

Steam Chec...me.dll

windows7-x64

1

Steam Chec...me.dll

windows10-2004-x64

1

Steam Chec...in.dll

windows7-x64

1

Steam Chec...in.dll

windows10-2004-x64

1

Steam Chec...gn.dll

windows7-x64

1

Steam Chec...gn.dll

windows10-2004-x64

1

Steam Chec...ts.dll

windows7-x64

1

Steam Chec...ts.dll

windows10-2004-x64

1

Steam Chec...rk.dll

windows7-x64

1

Steam Chec...rk.dll

windows10-2004-x64

1

Steam Chec....0.dll

windows7-x64

1

Steam Chec....0.dll

windows10-2004-x64

1

Steam Chec...on.dll

windows7-x64

1

Steam Chec...on.dll

windows10-2004-x64

1

Steam Chec...on.exe

windows7-x64

10

Steam Chec...on.exe

windows10-2004-x64

10

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...en.dll

windows7-x64

1

Steam Chec...en.dll

windows10-2004-x64

1

Steam Chec...ig.bat

windows7-x64

10

Steam Chec...ig.bat

windows10-2004-x64

10

Steam Chec...C2.ps1

windows7-x64

1

Steam Chec...C2.ps1

windows10-2004-x64

1

Steam Chec...To.ps1

windows7-x64

1

Steam Chec...To.ps1

windows10-2004-x64

1

Steam Chec...rk.bat

windows7-x64

10

Steam Chec...rk.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    01/01/2023, 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Steam Checker By abbadon/config/System/FrameWork.bat

  • Size

    520B

  • MD5

    e2bbc4167314dc0fc9acba48f2c94b74

  • SHA1

    a6b4a5502f2078353769d9bd22ce632ff9035067

  • SHA256

    20cf5b36516ca5251a79e6dcd08f6f8e6f3696ef24959829bc5a387950b7d178

  • SHA512

    4cc2946ce8ce192b3e7bf1ea51a3305e7656c229ca1c5795c4f3762df0005d7b3db2a4e676c8b9ecbf9d770b6c379a9c15a9f3fa994ca829faea30dd64fece9d

Score
10/10
asyncratcrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

C

C2

185.81.157.169:2023

Mutex

7G6ZCBCA-NJ11-YS93-65bg-CX918E7238D5

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\System\FrameWork.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Microsoft\MicrosoftEdgeUpdates\EdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe" /RL HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4440
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Microsoft\SystemUpdates\SysUpdate" /tr "C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe" /RL HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4452
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates
      2⤵
      • Views/modifies file attributes
      PID:3360
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\SystemUpdates
      2⤵
      • Views/modifies file attributes
      PID:4188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File CopyTo.PS1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C2.PS1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5108
  • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
    C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: AddClipboardFormatListener
    PID:1248
  • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
    C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:2664
    • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:2576

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SystemUpdates.exe.log
        Filesize

        1KB

        MD5

        bfff6869253ff041b2b0be465df8bad1

        SHA1

        d87fbcb54700714919232c4236fa4bb6df589797

        SHA256

        889e9627d5df84d62c212051b683081e2852a5f6f8de17bf046ccf91b8b2d84d

        SHA512

        f4bb23a3805b65b825f1a1a954b807fed0c5f8b9f830e045efb3fe86200bccb52a4c41fe954ddf3c653afd5a31c1ead2785e67d39799e0bcad2a52a94b895a29

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        2ad33642f863ae14ee53bc6853ee330e

        SHA1

        ca81cc7d8c33a46ebe97bc1d3db55e41a813029e

        SHA256

        17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19

        SHA512

        52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
        Filesize

        15KB

        MD5

        492bd942c673806c4dc7d076d44a06de

        SHA1

        ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

        SHA256

        30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

        SHA512

        8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
        Filesize

        15KB

        MD5

        492bd942c673806c4dc7d076d44a06de

        SHA1

        ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

        SHA256

        30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

        SHA512

        8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        Filesize

        242KB

        MD5

        640d55589c839016931890b47305d638

        SHA1

        bf5062f9c16a3966abe3e7dbb083f539f1b38126

        SHA256

        6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

        SHA512

        da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        Filesize

        242KB

        MD5

        640d55589c839016931890b47305d638

        SHA1

        bf5062f9c16a3966abe3e7dbb083f539f1b38126

        SHA256

        6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

        SHA512

        da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
        Filesize

        242KB

        MD5

        640d55589c839016931890b47305d638

        SHA1

        bf5062f9c16a3966abe3e7dbb083f539f1b38126

        SHA256

        6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

        SHA512

        da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

        Download Submit

      • memory/656-139-0x000001BBF4DF0000-0x000001BBF4E12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/656-141-0x000001BBF6710000-0x000001BBF6812000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/656-142-0x00007FFF4DB70000-0x00007FFF4E631000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/656-140-0x00007FFF4DB70000-0x00007FFF4E631000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/656-138-0x000001BBF4DB0000-0x000001BBF4DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/656-137-0x000001BBF5BC0000-0x000001BBF5C42000-memory.dmp

        Filesize

        520KB

        Download

      • memory/1248-153-0x0000000005040000-0x00000000055E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1248-154-0x0000000004A90000-0x0000000004B22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1248-155-0x0000000004B80000-0x0000000004B8A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1248-151-0x0000000000030000-0x000000000003A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2664-158-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2664-159-0x00000000056C0000-0x00000000057C2000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3636-152-0x0000000000F50000-0x0000000000F92000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3636-156-0x0000000006100000-0x000000000619C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/5108-146-0x00007FFF4DB70000-0x00007FFF4E631000-memory.dmp

        Filesize

        10.8MB

        Download