Overview

overview

10

Static

static

DOC_202210...ed.scr

windows7-x64

10

DOC_202210...ed.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2022 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC_20221012_094045716_stripped.scr

  • Size

    105KB

  • MD5

    640cc9bb769a9591c548cc63a15d15bf

  • SHA1

    56e456d997ef4f2735b7ba48a3b0e4861327ed61

  • SHA256

    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

  • SHA512

    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

  • SSDEEP

    3072:M+rR+Y6VgvQdJK0vtNZg/V7S+O+dvvAun:M+BFI3vtNZNH+dv

Score
10/10
asyncratoct 11rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Oct 11

C2

donzola.duckdns.org:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 6 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr
    "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr
      "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr"
      2⤵
        PID:1468
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
        2⤵
          PID:276
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:1380
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
          2⤵
            PID:588
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {05193E2C-6366-4106-8507-9FEFBDF88F1E} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
            "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
            2⤵
            • Executes dropped EXE
            PID:1168

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
          Filesize

          105KB

          MD5

          640cc9bb769a9591c548cc63a15d15bf

          SHA1

          56e456d997ef4f2735b7ba48a3b0e4861327ed61

          SHA256

          ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

          SHA512

          9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
          Filesize

          105KB

          MD5

          640cc9bb769a9591c548cc63a15d15bf

          SHA1

          56e456d997ef4f2735b7ba48a3b0e4861327ed61

          SHA256

          ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

          SHA512

          9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

          Download Submit
        • memory/276-68-0x0000000000000000-mapping.dmp
          Download
        • memory/436-69-0x0000000000000000-mapping.dmp
          Download
        • memory/588-70-0x0000000000000000-mapping.dmp
          Download
        • memory/1168-76-0x0000000000310000-0x0000000000330000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1168-74-0x0000000000000000-mapping.dmp
          Download
        • memory/1380-71-0x0000000000000000-mapping.dmp
          Download
        • memory/1468-57-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1468-67-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1468-65-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1468-63-0x000000000040C73E-mapping.dmp
          Download
        • memory/1468-62-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1468-61-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1468-59-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1468-56-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1960-54-0x0000000000FB0000-0x0000000000FD0000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1960-55-0x00000000751A1000-0x00000000751A3000-memory.dmp
          Filesize

          8KB

          Download