Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1800s
  • max time network
    1146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/12/2024, 20:21

General

  • Target

    Bawless Windows Cracked By Vidhayakji786.rar

  • Size

    102.1MB

  • MD5

    99a1d2a905676cf0542c2a4d45e58d46

  • SHA1

    35fac87f8ca98865b6dee79023fb1c55cb925f0d

  • SHA256

    1801c0278583e34f09b0a202c83afbc6f2bb97ab0acb2932057a25e5eba597a6

  • SHA512

    3b1027101ef2d18a83aabd399c5ae3432b30f9ce541635ed35d1708864c55f94054b013e1c19e5b681838698067c8d6d722c3f9cf4c8b74c5c4ea8be40da8737

  • SSDEEP

    3145728:lp5yB7PXOvhxn3VGFEWDE6YorqEU+vhI9C:lpIB7PevhVVGbw5oex9C

Malware Config

Extracted

Family

asyncrat

Version

Bawless Remote

Botnet

USGR6

C2

127.0.0.1:15

Mutex

7OZIOLO37

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Bawless Windows Cracked By Vidhayakji786.rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4952
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1400
    • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe
      "C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:4916
      • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless.exe
        "C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless.exe"
        1⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4544
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:1584
        • C:\Users\Admin\Desktop\bawless-client.exe
          "C:\Users\Admin\Desktop\bawless-client.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1156

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\1oeur5zj.newcfg

          Filesize

          563B

          MD5

          ac7c413d12070d7844af4270c7ccff79

          SHA1

          e6cb222e15928f5ee0e124c1a0aa0923eda17406

          SHA256

          fffa6fab7b68811e32d9cfb42dc97a570a66819b15c46eb2a7193e9d4ca66525

          SHA512

          1aa1629ac1b199e9952f993d7af3a8e5220448192fcdd4da031bac9b4a5cf928c0ab571b297f3a45f88a20ad3dd1388deb85877d1ca4278675f72c8341257faf

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\fnnead2j.newcfg

          Filesize

          443B

          MD5

          7f2d9e053c7c6e4acc60a127c371a4be

          SHA1

          d99e121d9a1cead6ad8e812697d3dcbe4ccf6855

          SHA256

          4ebc1c0126c41f300f54ef1fefb08771e11632f834e2c5471a1dcca6cd31c0fc

          SHA512

          7d9296d2c6bac4c21952742c000b38e712a05a458b63849490871c5fb87aedb5c516ea057d423e8c8948284b678d3f8933af54867e9c5851d968d8959ee2a7eb

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config

          Filesize

          443B

          MD5

          61d35914f64611a3d9cf9c152751e351

          SHA1

          e5ab53c6c395989f788e16bb0fed28ddf8741eb2

          SHA256

          143ef43526a3a3174a6f0f09088b0420c3e701bd129d772623f2c5019b025cd9

          SHA512

          e5bc88b6b4242446fab31b2a52528cd9d28c77ff223041389c499c01db9c59979709eaca10975b27074609843a0fdc6d29913b4de3dff952cf5c925b3ad7c565

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config

          Filesize

          443B

          MD5

          a462759394e2447d9b8d33c8f1b5cfbf

          SHA1

          211e0da9ad445338d9e8a466acfc172f9d599f97

          SHA256

          5af02b76e1b467040c919992a9ecf4942c1cdf2b30b59772f87e61b9bb778268

          SHA512

          608dea8eb27ae33611e2dcafd5024d9a3b49c2f1a3409aeb4fb255894519559db55238a376a695c58e1595f2c19f6285b11d4abe258bb5e0421994b163112d1d

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config

          Filesize

          323B

          MD5

          f9386d27234e43fe47b6795942a7a8ff

          SHA1

          4191f495d7abac1cdac478ce50fddbbbfebe723e

          SHA256

          b546a456ef0590f41e1c61682380b4997e9d0b7216b3092bf598c14dd2b128bf

          SHA512

          96b9aedbe5bc6c7cf7317eb05ac355ae2caed8480425b31012e0c95f62f02db65c6412f10596d187d880a98572cf43e2f5cd70b73f6074efb21af78e834ec498

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config

          Filesize

          443B

          MD5

          e638c22bea6f9e94ff8a7fd911b116b3

          SHA1

          af544cf8769ddb610290010c01f7c242857ae558

          SHA256

          250571b222424f8f70bc7264b918d14705de15323bd2266286374735bd66a2c8

          SHA512

          715f68cfc2cf2aebb9be455598b1046389484d41d31c3f78f138ec33bfc9a6010b903db5c3eac8eb6d54a887eb7d2a571b396232efcca688d9ad834efe9d70f2

        • C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\Ookii.Dialogs.dll

          Filesize

          126KB

          MD5

          c43d1d849935bd82fc577155dba84af0

          SHA1

          edc34ad456dc57979078b62373bf865e694a9666

          SHA256

          3e09f4104fc86a3ec4d6a600269d99c78485fa8b00726b19c7abf7a27eedbce1

          SHA512

          8a40199d220f55b28e13398472af12dbaca926603c778750c6a645ae92a9aea73b9f3b00e016ec81793420fa29f146b33f86dd6676652a55ce6d1eb61824c04a

        • C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\ProgressControls(4).dll

          Filesize

          12KB

          MD5

          c57a6c026cd6ea2870b83a423e6de4eb

          SHA1

          4177bd227f4bed55c7715091c7117f210650343d

          SHA256

          86d3053ad9366fef9ada575c9a4898ee5ac62067f1fa4c5914831f26b4dc9642

          SHA512

          86bcfa9a1f3dfe2356f1589f01873a4ca09e262e881dd97ec0028cd674332e0b9ab4129716e7bd4b810fccb59608e067e5ab56783e63e0b222f4821581073063

        • C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_03BF22DC.dll

          Filesize

          12KB

          MD5

          0658acea2f429d6bd5f75eccb8149ab1

          SHA1

          94924ab49ac27a33d40d465ede34391f64e3cecb

          SHA256

          70ef00516d8eb2d0650fbbba61f4edb785939e90c9d52a315f29b48f2c625e9d

          SHA512

          71e920d50343399cb39d29d9ec51ebf33bfbd0cf28663740220979b2974c047b1a1c47d431f04b2df0a6139b162463a1542b3d12c94691c1988cedd4ed67fe21

        • C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_0C7869D8.dll

          Filesize

          126KB

          MD5

          33d7c1072648f75e50b99ed7b68afe44

          SHA1

          9fe80ddaf34a93eac09d76816d5b2051626dbe02

          SHA256

          05a6a9ddc257ea82ec112db8a01eac70cadc7828e985c1cea4757b3b4c1f437b

          SHA512

          86a9b32395738fba5ab6417497a79d933256e73b03d33627f886309513bfb6e968c10b8c536c95ba4f98f9bb1df7142bbb37cbdcfdcf5c6ffbf64cc27d340227

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe

          Filesize

          14.7MB

          MD5

          7e228fdc2c17c3ef4ee02fcec4a4df7f

          SHA1

          a5112a8cf9e6dac6bb7ad6767c9979600f581a7b

          SHA256

          bd1ee9c456e4c08c4c8f184a8cb680b88dc444e231c855c850a4df2a9cb3aeb9

          SHA512

          3f1871a01d097a241d7533819b51099870888607fb8a4b51b669357fedafc197f6dc2551328e7f920a3a245e6bec183e460865dc20240d9d54ff4936cbc29eb4

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless.exe.config

          Filesize

          3KB

          MD5

          7256166cbe820cf4b580ea75e30e1b0c

          SHA1

          60cbe96a43e827f4c110ea4ce9e1519d30a35625

          SHA256

          f35535c7c7b47ec67f2250aba3176455d700e1c3cb108d6c078863e278cd0dc6

          SHA512

          dfc3270104c602df33f5885ffb3c3d77fa8770ac1c84ee5717d2e11e52fc426f7d7e654c4f612c3facab46e8685d88d7ff923fca44b0c984b4317757eba6e2ad

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Guna.UI2.dll

          Filesize

          1.9MB

          MD5

          c1789e4cf0b77749e0bef8f984f9cd6d

          SHA1

          cdf9d3f1c45bf294380d59846ae26b9da8a65725

          SHA256

          d590f05dc6980e4681243e68bda05b7da7952d75d4aa34963c1535f79c8fc060

          SHA512

          e51e76476d5c46d467bbf92a25471e6525a8ea58a4cca7ee305b295b396cb53650169665979eac0ed9bebb38c74d62c03e2f3b29b70eb6eafaf9ba474fea33ca

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\ServerCertificate.p12

          Filesize

          1KB

          MD5

          b025a65a61c6e8967637c346f6687f14

          SHA1

          b4a8ae31eb5518edc1b91079b966168f6af69202

          SHA256

          dae1407390b2fa60074fe872ab49d9f0669fdfb6996660fb2145ee8b198cba94

          SHA512

          54660d68e6c9d6e3fe5890977787c8396fed7744994255461ade1742d25aae226864b558658a0fedd749af4d94a85d16c21c2d7a006dc96c5ef362dd27908617

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Stub\Client.exe

          Filesize

          63KB

          MD5

          6158c0682f86511060619bba0fe864be

          SHA1

          63a1738c87ba9449b1d572ee470da2b242742643

          SHA256

          5bf4fc2c4d3115229d60511cad1af48019a4c291ad6144e73393e88e319f80a5

          SHA512

          baef40b589d8717f419185ad0885173f790394827d72d78520890ae737c7ee1cebe3af062340847cfe705c223669562e7116f48ab11d59654653a0b269026bd1

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Stub\Client.pdb

          Filesize

          59KB

          MD5

          008329249cc3e88aa1d6b89f409ccd13

          SHA1

          ab8a5d055e9aef140a19534c718f9b9ab2c379b9

          SHA256

          d5247c86c7402df8e64573e385ad7353f141dab59abc731fff3fe6a98a63e6b0

          SHA512

          36fbcc915dbcf19f0067e1089741abbb1910786fd0601cc8662b0b5fe985accf55f89d226004e15570949895363eba65f0d9a04bfa31764da36c5648e58b5c35

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\cGeoIp.dll

          Filesize

          2.3MB

          MD5

          6d6e172e7965d1250a4a6f8a0513aa9f

          SHA1

          b0fd4f64e837f48682874251c93258ee2cbcad2b

          SHA256

          d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

          SHA512

          35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\dnlib.dll

          Filesize

          1.1MB

          MD5

          4d0b771879de85137ee7e5f0d4bb4b16

          SHA1

          fc32cccd0cd5c3ebd968bcdf48e32a7ea25e9bd7

          SHA256

          962332e8c8cb459fb2f7dacec5d7a618cc53b1b49bc1740156398c89742f43fd

          SHA512

          bae39862ea07ebc5c9aa07a7333a880471baf4bf52eebedc03536e45584887eecc1075e0c0171229a54900ab93a66db9f666aa631c160912f538666da8c9e980

        • C:\Users\Admin\Desktop\bawless-client.exe

          Filesize

          65KB

          MD5

          de9ba1703fd1f75a216f45a815632f13

          SHA1

          78cb4b4064cbbb0551f1216971c70f34313c2203

          SHA256

          613313b7dc0b6d275aa3fa83a1692a914170a2ef9abd6109d65d73d7b92423b3

          SHA512

          9e843fa11cb048893df6b66f6f752df3946853f242fdd9af852117ecac9dc53cf550d117c0f885ee75f4b38377f272411e40850b2505caf12002912e069a7842

        • memory/1156-713-0x0000000000310000-0x0000000000326000-memory.dmp

          Filesize

          88KB

        • memory/3664-574-0x00000000752D0000-0x0000000075A80000-memory.dmp

          Filesize

          7.7MB

        • memory/3664-579-0x000000000A370000-0x000000000A5C2000-memory.dmp

          Filesize

          2.3MB

        • memory/3664-586-0x00000000752D0000-0x0000000075A80000-memory.dmp

          Filesize

          7.7MB

        • memory/3664-585-0x00000000752DE000-0x00000000752DF000-memory.dmp

          Filesize

          4KB

        • memory/3664-584-0x000000000BB30000-0x000000000BD26000-memory.dmp

          Filesize

          2.0MB

        • memory/3664-570-0x00000000752DE000-0x00000000752DF000-memory.dmp

          Filesize

          4KB

        • memory/3664-580-0x0000000005340000-0x000000000534A000-memory.dmp

          Filesize

          40KB

        • memory/3664-588-0x00000000752D0000-0x0000000075A80000-memory.dmp

          Filesize

          7.7MB

        • memory/3664-571-0x00000000000A0000-0x0000000000F5A000-memory.dmp

          Filesize

          14.7MB

        • memory/3664-572-0x0000000007160000-0x0000000007704000-memory.dmp

          Filesize

          5.6MB

        • memory/3664-575-0x0000000007D50000-0x0000000007DE2000-memory.dmp

          Filesize

          584KB

        • memory/3664-573-0x0000000006BB0000-0x0000000006C16000-memory.dmp

          Filesize

          408KB

        • memory/4544-689-0x0000000001620000-0x0000000001628000-memory.dmp

          Filesize

          32KB

        • memory/4544-687-0x0000000001440000-0x000000000145A000-memory.dmp

          Filesize

          104KB

        • memory/4544-686-0x000000000CFD0000-0x000000000D0EE000-memory.dmp

          Filesize

          1.1MB

        • memory/4544-657-0x0000000006130000-0x0000000006196000-memory.dmp

          Filesize

          408KB