Analysis
-
max time kernel
644s -
max time network
676s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
14-10-2022 17:42
General
-
Target
T00WKSAU002DHSRQW_002.exe
-
Size
300.0MB
-
MD5
707a86802d4275cda27b6e989b691e0a
-
SHA1
5eb007b7e7f3ac28363329904493e443a15cdabf
-
SHA256
0a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
-
SHA512
511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
SSDEEP
3072:rvOIfhz+4a0+9bdRvixoww6r50iis79KfTYVY:hA10+9HvQ15Fjod
Malware Config
Extracted
asyncrat
0.5.7B
Default
thoe409.duckdns.org:6739
thoe409.duckdns.org:7301
thoe409.duckdns.org:7808
thoe409.duckdns.org:8333
thoe409.duckdns.org:6112
thoe409.duckdns.org:7553
thoe409.duckdns.org:6443
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 14 IoCs
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\T00WKSAU002DHSRQW_002.exe"C:\Users\Admin\AppData\Local\Temp\T00WKSAU002DHSRQW_002.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\T00WKSAU002DHSRQW_002.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {4D05BECB-61AA-408F-A572-C943A26D1F9F} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/384-207-0x0000000000000000-mapping.dmp
-
memory/468-184-0x0000000000000000-mapping.dmp
-
memory/564-189-0x0000000000000000-mapping.dmp
-
memory/568-214-0x000000000040C78E-mapping.dmp
-
memory/592-151-0x0000000000000000-mapping.dmp
-
memory/664-72-0x0000000000000000-mapping.dmp
-
memory/664-74-0x0000000000DE0000-0x0000000000E08000-memory.dmpFilesize
160KB
-
memory/696-140-0x000000000040C78E-mapping.dmp
-
memory/736-104-0x000000000040C78E-mapping.dmp
-
memory/744-170-0x0000000000000000-mapping.dmp
-
memory/744-78-0x0000000000000000-mapping.dmp
-
memory/744-122-0x000000000040C78E-mapping.dmp
-
memory/800-115-0x0000000000000000-mapping.dmp
-
memory/888-97-0x0000000000000000-mapping.dmp
-
memory/888-58-0x0000000000000000-mapping.dmp
-
memory/944-55-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/944-54-0x0000000000FB0000-0x0000000000FD8000-memory.dmpFilesize
160KB
-
memory/1040-196-0x000000000040C78E-mapping.dmp
-
memory/1084-206-0x0000000000000000-mapping.dmp
-
memory/1116-95-0x0000000000000000-mapping.dmp
-
memory/1156-133-0x0000000000000000-mapping.dmp
-
memory/1192-153-0x0000000000000000-mapping.dmp
-
memory/1212-131-0x0000000000000000-mapping.dmp
-
memory/1220-169-0x0000000000000000-mapping.dmp
-
memory/1288-96-0x0000000000000000-mapping.dmp
-
memory/1288-132-0x0000000000000000-mapping.dmp
-
memory/1288-57-0x0000000000000000-mapping.dmp
-
memory/1308-76-0x0000000000000000-mapping.dmp
-
memory/1412-147-0x0000000000000000-mapping.dmp
-
memory/1412-149-0x0000000001340000-0x0000000001368000-memory.dmpFilesize
160KB
-
memory/1476-128-0x0000000000000000-mapping.dmp
-
memory/1496-187-0x0000000000000000-mapping.dmp
-
memory/1612-152-0x0000000000000000-mapping.dmp
-
memory/1688-93-0x00000000012D0000-0x00000000012F8000-memory.dmpFilesize
160KB
-
memory/1688-91-0x0000000000000000-mapping.dmp
-
memory/1716-166-0x0000000000000000-mapping.dmp
-
memory/1740-113-0x0000000000000000-mapping.dmp
-
memory/1764-56-0x0000000000000000-mapping.dmp
-
memory/1908-110-0x0000000000000000-mapping.dmp
-
memory/1916-85-0x000000000040C78E-mapping.dmp
-
memory/1956-205-0x0000000000000000-mapping.dmp
-
memory/1960-171-0x0000000000000000-mapping.dmp
-
memory/1976-188-0x0000000000000000-mapping.dmp
-
memory/1984-65-0x000000000040C78E-mapping.dmp
-
memory/1984-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1984-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1984-59-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1984-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1984-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1984-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1984-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1992-160-0x000000000040C78E-mapping.dmp
-
memory/1992-114-0x0000000000000000-mapping.dmp
-
memory/2004-77-0x0000000000000000-mapping.dmp
-
memory/2016-202-0x0000000000000000-mapping.dmp
-
memory/2032-178-0x000000000040C78E-mapping.dmp