Overview

overview

10

Static

static

afcd19bfc8...37.exe

windows7_x64

10

afcd19bfc8...37.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afcd19bfc8c7d2e14b896774c2bc4c37.exe

  • Size

    571KB

  • MD5

    afcd19bfc8c7d2e14b896774c2bc4c37

  • SHA1

    e25f7298d5f0f8e241c9c7a5af34e643685ce6bd

  • SHA256

    0107796696a369ff65f7156be554659e8cba137cdf4af78da7daac9362820737

  • SHA512

    cb196072de8942d28535a8afb66223855308933936d774310eeabea822f3ec894112281c9d5477a1b0f31e6bae55bc1b2b4f665120c83bf2494449ea348dc88f

Score
10/10
asyncratnigatexpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Nigatex

C2

nigatex.ml:25565

Mutex

huieqwgehqweqduia

Attributes
  • delay

    1

  • install

    false

  • install_file

    MpCopyAccelerator.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afcd19bfc8c7d2e14b896774c2bc4c37.exe
    "C:\Users\Admin\AppData\Local\Temp\afcd19bfc8c7d2e14b896774c2bc4c37.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
            "C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
              C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
              6⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Adds Run key to start application
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2116
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\koYrP.vbs"
                7⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:3812
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3144
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4536
              • C:\Windows\system32\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
                7⤵
                • Creates scheduled task(s)
                PID:3556
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe" "C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe"
              6⤵
                PID:4400
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\afcd19bfc8c7d2e14b896774c2bc4c37.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
        2⤵
          PID:320
      • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
        C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:60
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4224
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
              3⤵
              • Creates scheduled task(s)
              PID:1372
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
            2⤵
              PID:3172
          • C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
            C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
              C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
              2⤵
              • Executes dropped EXE
              PID:4876
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
              2⤵
                PID:3000
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
                  3⤵
                  • Creates scheduled task(s)
                  PID:4416
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe" "C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe"
                2⤵
                  PID:220

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Scripting

              1
              T1064

              Scheduled Task

              1
              T1053

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Scheduled Task

              1
              T1053

              Privilege Escalation

              Scheduled Task

              1
              T1053

              Defense Evasion

              Scripting

              1
              T1064

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nvcontainer.exe.log
                Filesize

                1KB

                MD5

                4de0e77d535f3cb568442a6af4546a62

                SHA1

                d6b0507582d6c1a1c8811b02a29197fbb0ac1432

                SHA256

                913af39d6fd885c4495c7616e5d23629a44a61e33a6edc6f2ca5523ec701b9f2

                SHA512

                e3974c19ac3173889f5678564bf1d502e6dcab3b47a4e17c33f3f74973345f3ba0297778e53e8a7cd650bb78a34bf96da8ef9b623956879a3e809f43665838cf

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                15KB

                MD5

                c08d3cdd7a149f8b7bb94d1543b8224a

                SHA1

                270770b2bcd15823f05885872b1ee451f0ddbb61

                SHA256

                926d322627591e1868d98abf79787ab599e5f60f9d75ed0227d8742d0f566e54

                SHA512

                0d8a962915f0ffe81d23fa3db8f07934b0e7d9ab693991ad1a58a9442ee035f89ecb54a1bd21cbced6f1d006aed37e14ed8d3a24baa35ba4e20716fa5197161f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\koYrP.vbs
                Filesize

                92B

                MD5

                4b13abd262e6f452b680b7c404285a32

                SHA1

                a5b55774c48678a82ab377a7d23a00ec6a174dea

                SHA256

                e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff

                SHA512

                8dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
                Filesize

                300.0MB

                MD5

                e407c7a0f100ef58922d20b19e4e8c35

                SHA1

                f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

                SHA256

                da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

                SHA512

                72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
                Filesize

                300.0MB

                MD5

                e407c7a0f100ef58922d20b19e4e8c35

                SHA1

                f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

                SHA256

                da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

                SHA512

                72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
                Filesize

                300.0MB

                MD5

                e407c7a0f100ef58922d20b19e4e8c35

                SHA1

                f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

                SHA256

                da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

                SHA512

                72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

                Download Submit
              • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
                Filesize

                571KB

                MD5

                afcd19bfc8c7d2e14b896774c2bc4c37

                SHA1

                e25f7298d5f0f8e241c9c7a5af34e643685ce6bd

                SHA256

                0107796696a369ff65f7156be554659e8cba137cdf4af78da7daac9362820737

                SHA512

                cb196072de8942d28535a8afb66223855308933936d774310eeabea822f3ec894112281c9d5477a1b0f31e6bae55bc1b2b4f665120c83bf2494449ea348dc88f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
                Filesize

                571KB

                MD5

                afcd19bfc8c7d2e14b896774c2bc4c37

                SHA1

                e25f7298d5f0f8e241c9c7a5af34e643685ce6bd

                SHA256

                0107796696a369ff65f7156be554659e8cba137cdf4af78da7daac9362820737

                SHA512

                cb196072de8942d28535a8afb66223855308933936d774310eeabea822f3ec894112281c9d5477a1b0f31e6bae55bc1b2b4f665120c83bf2494449ea348dc88f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
                Filesize

                190.0MB

                MD5

                3a2cd04b52f4c8de2fd937095bcbf4bf

                SHA1

                1c8874673d316d30e292189f8285a438175b0cf6

                SHA256

                6e63ca205cbcb0891e17d205d9a121444b4e726456338ff417fb50d4f66f5754

                SHA512

                67a701834aeab41e0907c666cfa507ab6d29dfe2a81818a91d1a5d55a38a3ddd093dd6025f0a6d6ad97dfdebccaff4043ba6de2387e09b38e19fbaead953f6ff

                Download Submit
              • C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
                Filesize

                188.9MB

                MD5

                453dccbe42df38e50a9fc82805670875

                SHA1

                05f0bd7cffd1656db15c8604a130c3afdbfa607c

                SHA256

                229df0785091df32b6c8e30490779a22f8487f8c0be2d9f75e7aaa406db40cbf

                SHA512

                81c568387f8562802e6e948e4a8e1e55b6eff477680d6d0e5cae3cc773aa22c81364456b1835c73af3f4d9d097a858a185c8ec7f942ae076a3e4158ab78a9ad9

                Download Submit
              • C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
                Filesize

                86.9MB

                MD5

                4187fd10c2018aae03f47885edabe097

                SHA1

                2d43728419d763fe6bcce0531ddc2ca33063a67c

                SHA256

                4a3b11e9466ea1a357fd55286382afb7fc6de9ece753fd29385494e5eeea6852

                SHA512

                43c36bbd69944a1582cedaa1bfe2d0c14b33af88c67e7171a06199e7a07c0f1fadd6028c84d8103feb5097b5ff1a91806e9786214eb37d2c1d564227d7b4c7b3

                Download Submit
              • memory/60-160-0x0000000000000000-mapping.dmp
                Download
              • memory/220-192-0x0000000000000000-mapping.dmp
                Download
              • memory/320-138-0x0000000000000000-mapping.dmp
                Download
              • memory/1372-163-0x0000000000000000-mapping.dmp
                Download
              • memory/1960-148-0x0000000006030000-0x000000000604E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/1960-144-0x0000000002730000-0x0000000002766000-memory.dmp
                Filesize

                216KB

                Download
              • memory/1960-147-0x00000000059A0000-0x0000000005A06000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1960-146-0x0000000005900000-0x0000000005922000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1960-149-0x0000000007040000-0x00000000070D6000-memory.dmp
                Filesize

                600KB

                Download
              • memory/1960-150-0x0000000006510000-0x000000000652A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/1960-151-0x0000000006560000-0x0000000006582000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1960-145-0x0000000005210000-0x0000000005838000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/1960-143-0x0000000000000000-mapping.dmp
                Download
              • memory/2116-174-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2116-165-0x0000000140000000-0x000000014009A000-memory.dmp
                Filesize

                616KB

                Download
              • memory/2116-166-0x0000000140000000-mapping.dmp
                Download
              • memory/2116-172-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2416-137-0x0000000000000000-mapping.dmp
                Download
              • memory/2632-153-0x0000000000000000-mapping.dmp
                Download
              • memory/2632-173-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2632-155-0x00007FF6D6AD0000-0x00007FF6D6BC6000-memory.dmp
                Filesize

                984KB

                Download
              • memory/2632-156-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2632-168-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2960-185-0x00007FF775AC0000-0x00007FF775BB6000-memory.dmp
                Filesize

                984KB

                Download
              • memory/2960-186-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2960-193-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3000-190-0x0000000000000000-mapping.dmp
                Download
              • memory/3144-177-0x0000000000000000-mapping.dmp
                Download
              • memory/3144-178-0x0000019EBC6F0000-0x0000019EBC712000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3144-181-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3144-180-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3164-136-0x0000000000000000-mapping.dmp
                Download
              • memory/3172-164-0x0000000000000000-mapping.dmp
                Download
              • memory/3348-142-0x0000000000000000-mapping.dmp
                Download
              • memory/3556-170-0x0000000000000000-mapping.dmp
                Download
              • memory/3572-130-0x0000000001000000-0x0000000001050000-memory.dmp
                Filesize

                320KB

                Download
              • memory/3572-132-0x00000000052A0000-0x0000000005844000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/3572-131-0x0000000004BB0000-0x0000000004C16000-memory.dmp
                Filesize

                408KB

                Download
              • memory/3812-175-0x0000000000000000-mapping.dmp
                Download
              • memory/4012-159-0x0000000000E80000-0x0000000000ED0000-memory.dmp
                Filesize

                320KB

                Download
              • memory/4224-162-0x0000000000000000-mapping.dmp
                Download
              • memory/4392-141-0x0000000006580000-0x000000000659E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/4392-139-0x0000000005370000-0x000000000540C000-memory.dmp
                Filesize

                624KB

                Download
              • memory/4392-140-0x00000000065B0000-0x0000000006626000-memory.dmp
                Filesize

                472KB

                Download
              • memory/4392-135-0x0000000000300000-0x0000000000312000-memory.dmp
                Filesize

                72KB

                Download
              • memory/4392-134-0x0000000000400000-0x0000000000412000-memory.dmp
                Filesize

                72KB

                Download
              • memory/4392-133-0x0000000000000000-mapping.dmp
                Download
              • memory/4400-171-0x0000000000000000-mapping.dmp
                Download
              • memory/4416-191-0x0000000000000000-mapping.dmp
                Download
              • memory/4536-169-0x0000000000000000-mapping.dmp
                Download
              • memory/4876-188-0x0000000140000000-mapping.dmp
                Download
              • memory/4876-194-0x00007FF8D67B0000-0x00007FF8D7271000-memory.dmp
                Filesize

                10.8MB

                Download