Overview

overview

10

Static

static

DOC_202210...cr.exe

windows7-x64

10

DOC_202210...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2022, 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC_20221012_094045716_stripped.scr.exe

  • Size

    105KB

  • MD5

    640cc9bb769a9591c548cc63a15d15bf

  • SHA1

    56e456d997ef4f2735b7ba48a3b0e4861327ed61

  • SHA256

    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

  • SHA512

    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

  • SSDEEP

    3072:M+rR+Y6VgvQdJK0vtNZg/V7S+O+dvvAun:M+BFI3vtNZNH+dv

Score
10/10
asyncratoct 11rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Oct 11

C2

donzola.duckdns.org:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 11 IoCs
    rat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe"
      2⤵
        PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
        2⤵
          PID:1888
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:740
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
          2⤵
            PID:292
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {87881D81-3F94-4E6F-BEAA-86207FE8ED42} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
            "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
              "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
              3⤵
              • Executes dropped EXE
              PID:300
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
              3⤵
                PID:628
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1676
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
                  4⤵
                  • Creates scheduled task(s)
                  PID:1088
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
                3⤵
                  PID:1720
              • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                PID:1604
                • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                  "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:1952
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
                  3⤵
                    PID:620
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
                    3⤵
                      PID:428
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
                        4⤵
                        • Creates scheduled task(s)
                        PID:740
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
                      3⤵
                        PID:1344

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                    Filesize

                    105KB

                    MD5

                    640cc9bb769a9591c548cc63a15d15bf

                    SHA1

                    56e456d997ef4f2735b7ba48a3b0e4861327ed61

                    SHA256

                    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                    SHA512

                    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                    Filesize

                    105KB

                    MD5

                    640cc9bb769a9591c548cc63a15d15bf

                    SHA1

                    56e456d997ef4f2735b7ba48a3b0e4861327ed61

                    SHA256

                    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                    SHA512

                    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                    Filesize

                    105KB

                    MD5

                    640cc9bb769a9591c548cc63a15d15bf

                    SHA1

                    56e456d997ef4f2735b7ba48a3b0e4861327ed61

                    SHA256

                    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                    SHA512

                    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                    Filesize

                    105KB

                    MD5

                    640cc9bb769a9591c548cc63a15d15bf

                    SHA1

                    56e456d997ef4f2735b7ba48a3b0e4861327ed61

                    SHA256

                    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                    SHA512

                    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                    Filesize

                    105KB

                    MD5

                    640cc9bb769a9591c548cc63a15d15bf

                    SHA1

                    56e456d997ef4f2735b7ba48a3b0e4861327ed61

                    SHA256

                    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                    SHA512

                    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                    Download Submit

                  • \Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                    Filesize

                    105KB

                    MD5

                    640cc9bb769a9591c548cc63a15d15bf

                    SHA1

                    56e456d997ef4f2735b7ba48a3b0e4861327ed61

                    SHA256

                    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                    SHA512

                    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                    Download Submit

                  • \Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
                    Filesize

                    105KB

                    MD5

                    640cc9bb769a9591c548cc63a15d15bf

                    SHA1

                    56e456d997ef4f2735b7ba48a3b0e4861327ed61

                    SHA256

                    ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

                    SHA512

                    9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

                    Download Submit

                  • memory/300-90-0x0000000000090000-0x00000000000A6000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1096-54-0x0000000000D00000-0x0000000000D20000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1096-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1940-76-0x0000000000120000-0x0000000000140000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/1952-115-0x0000000000090000-0x00000000000A6000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1952-118-0x0000000000090000-0x00000000000A6000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1972-59-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1972-56-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1972-61-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1972-57-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1972-62-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1972-67-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1972-65-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                    Download