Overview

overview

10

Static

static

afcd19bfc8...37.exe

windows7_x64

10

afcd19bfc8...37.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afcd19bfc8c7d2e14b896774c2bc4c37.exe

  • Size

    571KB

  • MD5

    afcd19bfc8c7d2e14b896774c2bc4c37

  • SHA1

    e25f7298d5f0f8e241c9c7a5af34e643685ce6bd

  • SHA256

    0107796696a369ff65f7156be554659e8cba137cdf4af78da7daac9362820737

  • SHA512

    cb196072de8942d28535a8afb66223855308933936d774310eeabea822f3ec894112281c9d5477a1b0f31e6bae55bc1b2b4f665120c83bf2494449ea348dc88f

Score
10/10
asyncratnigatexrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Nigatex

C2

nigatex.ml:25565

Mutex

huieqwgehqweqduia

Attributes
  • delay

    1

  • install

    false

  • install_file

    MpCopyAccelerator.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 8 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afcd19bfc8c7d2e14b896774c2bc4c37.exe
    "C:\Users\Admin\AppData\Local\Temp\afcd19bfc8c7d2e14b896774c2bc4c37.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"'
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
            "C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1384
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\afcd19bfc8c7d2e14b896774c2bc4c37.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
      2⤵
        PID:1988
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {C710F397-C5ED-4464-9982-2223ED5E9E2B} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
        C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
        2⤵
        • Executes dropped EXE
        PID:976
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          3⤵
            PID:1600
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
              4⤵
              • Creates scheduled task(s)
              PID:1676
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
            3⤵
              PID:2036
          • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
            C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:964
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              3⤵
                PID:1496
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:668
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
                  4⤵
                  • Creates scheduled task(s)
                  PID:1044
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
                3⤵
                  PID:432

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scripting

            1
            T1064

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Scripting

            1
            T1064

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
              Filesize

              300.0MB

              MD5

              e407c7a0f100ef58922d20b19e4e8c35

              SHA1

              f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

              SHA256

              da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

              SHA512

              72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
              Filesize

              300.0MB

              MD5

              e407c7a0f100ef58922d20b19e4e8c35

              SHA1

              f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

              SHA256

              da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

              SHA512

              72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

              Download Submit
            • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
              Filesize

              571KB

              MD5

              afcd19bfc8c7d2e14b896774c2bc4c37

              SHA1

              e25f7298d5f0f8e241c9c7a5af34e643685ce6bd

              SHA256

              0107796696a369ff65f7156be554659e8cba137cdf4af78da7daac9362820737

              SHA512

              cb196072de8942d28535a8afb66223855308933936d774310eeabea822f3ec894112281c9d5477a1b0f31e6bae55bc1b2b4f665120c83bf2494449ea348dc88f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
              Filesize

              571KB

              MD5

              afcd19bfc8c7d2e14b896774c2bc4c37

              SHA1

              e25f7298d5f0f8e241c9c7a5af34e643685ce6bd

              SHA256

              0107796696a369ff65f7156be554659e8cba137cdf4af78da7daac9362820737

              SHA512

              cb196072de8942d28535a8afb66223855308933936d774310eeabea822f3ec894112281c9d5477a1b0f31e6bae55bc1b2b4f665120c83bf2494449ea348dc88f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
              Filesize

              571KB

              MD5

              afcd19bfc8c7d2e14b896774c2bc4c37

              SHA1

              e25f7298d5f0f8e241c9c7a5af34e643685ce6bd

              SHA256

              0107796696a369ff65f7156be554659e8cba137cdf4af78da7daac9362820737

              SHA512

              cb196072de8942d28535a8afb66223855308933936d774310eeabea822f3ec894112281c9d5477a1b0f31e6bae55bc1b2b4f665120c83bf2494449ea348dc88f

              Download Submit
            • \??\PIPE\lsarpc
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nvcontainer.exe
              Filesize

              300.0MB

              MD5

              e407c7a0f100ef58922d20b19e4e8c35

              SHA1

              f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

              SHA256

              da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

              SHA512

              72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

              Download Submit
            • memory/432-106-0x0000000000000000-mapping.dmp
              Download
            • memory/668-104-0x0000000000000000-mapping.dmp
              Download
            • memory/952-65-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/952-61-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/952-59-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/952-57-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/952-72-0x00000000003F0000-0x00000000003FC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/952-62-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/952-56-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/952-63-0x000000000040CB9E-mapping.dmp
              Download
            • memory/952-67-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/964-90-0x0000000000A40000-0x0000000000A90000-memory.dmp
              Filesize

              320KB

              Download
            • memory/964-88-0x0000000000000000-mapping.dmp
              Download
            • memory/976-84-0x0000000000000000-mapping.dmp
              Download
            • memory/1044-105-0x0000000000000000-mapping.dmp
              Download
            • memory/1052-55-0x00000000763E1000-0x00000000763E3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1052-54-0x0000000001050000-0x00000000010A0000-memory.dmp
              Filesize

              320KB

              Download
            • memory/1344-68-0x0000000000000000-mapping.dmp
              Download
            • memory/1384-81-0x000000013FA60000-0x000000013FB56000-memory.dmp
              Filesize

              984KB

              Download
            • memory/1384-79-0x0000000000000000-mapping.dmp
              Download
            • memory/1496-99-0x000000000040CB9E-mapping.dmp
              Download
            • memory/1676-86-0x0000000000000000-mapping.dmp
              Download
            • memory/1684-69-0x0000000000000000-mapping.dmp
              Download
            • memory/1724-73-0x0000000000000000-mapping.dmp
              Download
            • memory/1976-76-0x000000006ED40000-0x000000006F2EB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1976-82-0x000000006ED40000-0x000000006F2EB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1976-74-0x0000000000000000-mapping.dmp
              Download
            • memory/1988-70-0x0000000000000000-mapping.dmp
              Download