Overview

overview

10

Static

static

DOC_202210...ed.scr

windows7-x64

10

DOC_202210...ed.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2022 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC_20221012_094045716_stripped.scr

  • Size

    105KB

  • MD5

    640cc9bb769a9591c548cc63a15d15bf

  • SHA1

    56e456d997ef4f2735b7ba48a3b0e4861327ed61

  • SHA256

    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

  • SHA512

    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

  • SSDEEP

    3072:M+rR+Y6VgvQdJK0vtNZg/V7S+O+dvvAun:M+BFI3vtNZNH+dv

Score
10/10
asyncratoct 11rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Oct 11

C2

donzola.duckdns.org:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr
    "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr
      "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr"
      2⤵
        PID:5056
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
        2⤵
          PID:3368
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:2340
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
          2⤵
            PID:4604
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 468 -p 4508 -ip 4508
          1⤵
            PID:4984
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4508 -s 2460
            1⤵
            • Program crash
            PID:4244
          • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
            "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3648
            • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
              "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
              2⤵
              • Executes dropped EXE
              PID:3700
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
              2⤵
                PID:1596
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4268
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
                  3⤵
                  • Creates scheduled task(s)
                  PID:2332
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
                2⤵
                  PID:3624
              • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
                1⤵
                • Executes dropped EXE
                PID:880

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Scheduled Task

              1
              T1053

              Persistence

              Scheduled Task

              1
              T1053

              Privilege Escalation

              Scheduled Task

              1
              T1053

              Defense Evasion

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Media Player Network Sharing Service.exe.log
                Filesize

                612B

                MD5

                4bc94363628f46b343c5e8e2da62ca26

                SHA1

                8a41ac46e24d790e11a407d0e957c4a6be6056c4

                SHA256

                c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

                SHA512

                cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                Filesize

                105KB

                MD5

                640cc9bb769a9591c548cc63a15d15bf

                SHA1

                56e456d997ef4f2735b7ba48a3b0e4861327ed61

                SHA256

                ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                SHA512

                9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                Filesize

                105KB

                MD5

                640cc9bb769a9591c548cc63a15d15bf

                SHA1

                56e456d997ef4f2735b7ba48a3b0e4861327ed61

                SHA256

                ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                SHA512

                9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                Filesize

                105KB

                MD5

                640cc9bb769a9591c548cc63a15d15bf

                SHA1

                56e456d997ef4f2735b7ba48a3b0e4861327ed61

                SHA256

                ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                SHA512

                9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                Filesize

                105KB

                MD5

                640cc9bb769a9591c548cc63a15d15bf

                SHA1

                56e456d997ef4f2735b7ba48a3b0e4861327ed61

                SHA256

                ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                SHA512

                9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                Download Submit
              • memory/960-138-0x0000000000000000-mapping.dmp
                Download
              • memory/1596-146-0x0000000000000000-mapping.dmp
                Download
              • memory/2044-133-0x0000000005480000-0x0000000005A24000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/2044-134-0x0000000004F80000-0x0000000004FE6000-memory.dmp
                Filesize

                408KB

                Download
              • memory/2044-132-0x00000000005D0000-0x00000000005F0000-memory.dmp
                Filesize

                128KB

                Download
              • memory/2332-149-0x0000000000000000-mapping.dmp
                Download
              • memory/2340-140-0x0000000000000000-mapping.dmp
                Download
              • memory/3368-137-0x0000000000000000-mapping.dmp
                Download
              • memory/3624-148-0x0000000000000000-mapping.dmp
                Download
              • memory/3700-143-0x0000000000000000-mapping.dmp
                Download
              • memory/4268-147-0x0000000000000000-mapping.dmp
                Download
              • memory/4604-139-0x0000000000000000-mapping.dmp
                Download
              • memory/5056-136-0x0000000000400000-0x0000000000416000-memory.dmp
                Filesize

                88KB

                Download
              • memory/5056-135-0x0000000000000000-mapping.dmp
                Download