asyncrat | ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2022, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC_20221012_094045716_stripped.scr.exe
Size

105KB
MD5

640cc9bb769a9591c548cc63a15d15bf
SHA1

56e456d997ef4f2735b7ba48a3b0e4861327ed61
SHA256

ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e
SHA512

9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06
SSDEEP

3072:M+rR+Y6VgvQdJK0vtNZg/V7S+O+dvvAun:M+BFI3vtNZNH+dv

Score

10^/10

asyncrat oct 11 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Oct 11

donzola.duckdns.org:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2376-136-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Executes dropped EXE 4 IoCs

pid	Process
2156	Windows Media Player Network Sharing Service.exe
2256	Windows Media Player Network Sharing Service.exe
3784	Windows Media Player Network Sharing Service.exe
4748	Windows Media Player Network Sharing Service.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4864 set thread context of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 2156 set thread context of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 3784 set thread context of 4748	3784	Windows Media Player Network Sharing Service.exe	108

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1164	schtasks.exe
2752	schtasks.exe
2816	schtasks.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 2376	4864	DOC_20221012_094045716_stripped.scr.exe	90
PID 4864 wrote to memory of 864	4864	DOC_20221012_094045716_stripped.scr.exe	91
PID 4864 wrote to memory of 864	4864	DOC_20221012_094045716_stripped.scr.exe	91
PID 4864 wrote to memory of 864	4864	DOC_20221012_094045716_stripped.scr.exe	91
PID 4864 wrote to memory of 4876	4864	DOC_20221012_094045716_stripped.scr.exe	94
PID 4864 wrote to memory of 4876	4864	DOC_20221012_094045716_stripped.scr.exe	94
PID 4864 wrote to memory of 4876	4864	DOC_20221012_094045716_stripped.scr.exe	94
PID 4864 wrote to memory of 672	4864	DOC_20221012_094045716_stripped.scr.exe	92
PID 4864 wrote to memory of 672	4864	DOC_20221012_094045716_stripped.scr.exe	92
PID 4864 wrote to memory of 672	4864	DOC_20221012_094045716_stripped.scr.exe	92
PID 4876 wrote to memory of 1164	4876	cmd.exe	97
PID 4876 wrote to memory of 1164	4876	cmd.exe	97
PID 4876 wrote to memory of 1164	4876	cmd.exe	97
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 2256	2156	Windows Media Player Network Sharing Service.exe	99
PID 2156 wrote to memory of 4712	2156	Windows Media Player Network Sharing Service.exe	100
PID 2156 wrote to memory of 4712	2156	Windows Media Player Network Sharing Service.exe	100
PID 2156 wrote to memory of 4712	2156	Windows Media Player Network Sharing Service.exe	100
PID 2156 wrote to memory of 4312	2156	Windows Media Player Network Sharing Service.exe	102
PID 2156 wrote to memory of 4312	2156	Windows Media Player Network Sharing Service.exe	102
PID 2156 wrote to memory of 4312	2156	Windows Media Player Network Sharing Service.exe	102
PID 2156 wrote to memory of 4616	2156	Windows Media Player Network Sharing Service.exe	104
PID 2156 wrote to memory of 4616	2156	Windows Media Player Network Sharing Service.exe	104
PID 2156 wrote to memory of 4616	2156	Windows Media Player Network Sharing Service.exe	104
PID 4312 wrote to memory of 2752	4312	cmd.exe	106
PID 4312 wrote to memory of 2752	4312	cmd.exe	106
PID 4312 wrote to memory of 2752	4312	cmd.exe	106
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4748	3784	Windows Media Player Network Sharing Service.exe	108
PID 3784 wrote to memory of 4228	3784	Windows Media Player Network Sharing Service.exe	109
PID 3784 wrote to memory of 4228	3784	Windows Media Player Network Sharing Service.exe	109
PID 3784 wrote to memory of 4228	3784	Windows Media Player Network Sharing Service.exe	109
PID 3784 wrote to memory of 3332	3784	Windows Media Player Network Sharing Service.exe	110
PID 3784 wrote to memory of 3332	3784	Windows Media Player Network Sharing Service.exe	110
PID 3784 wrote to memory of 3332	3784	Windows Media Player Network Sharing Service.exe	110
PID 3784 wrote to memory of 3956	3784	Windows Media Player Network Sharing Service.exe	113
PID 3784 wrote to memory of 3956	3784	Windows Media Player Network Sharing Service.exe	113
PID 3784 wrote to memory of 3956	3784	Windows Media Player Network Sharing Service.exe	113
PID 3332 wrote to memory of 2816	3332	cmd.exe	115
PID 3332 wrote to memory of 2816	3332	cmd.exe	115
PID 3332 wrote to memory of 2816	3332	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe
"C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
  2⤵
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716_stripped.scr.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
  2⤵
  PID:672
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1164

C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
  "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
  2⤵
  PID:4712
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
  2⤵
  PID:4616

C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
  "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
  2⤵
  PID:4228
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
  2⤵
  PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Media Player Network Sharing Service.exe.log

Filesize
612B

MD5
4bc94363628f46b343c5e8e2da62ca26

SHA1
8a41ac46e24d790e11a407d0e957c4a6be6056c4

SHA256
c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

SHA512
cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe

Filesize
105KB

MD5
640cc9bb769a9591c548cc63a15d15bf

SHA1
56e456d997ef4f2735b7ba48a3b0e4861327ed61

SHA256
ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

SHA512
9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe

Filesize
105KB

MD5
640cc9bb769a9591c548cc63a15d15bf

SHA1
56e456d997ef4f2735b7ba48a3b0e4861327ed61

SHA256
ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

SHA512
9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe

Filesize
105KB

MD5
640cc9bb769a9591c548cc63a15d15bf

SHA1
56e456d997ef4f2735b7ba48a3b0e4861327ed61

SHA256
ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

SHA512
9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe

Filesize
105KB

MD5
640cc9bb769a9591c548cc63a15d15bf

SHA1
56e456d997ef4f2735b7ba48a3b0e4861327ed61

SHA256
ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

SHA512
9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe

Filesize
105KB

MD5
640cc9bb769a9591c548cc63a15d15bf

SHA1
56e456d997ef4f2735b7ba48a3b0e4861327ed61

SHA256
ef1cddd57724a667599eb57a77aedde1f256853f54698a68a610c3d54f924f1e

SHA512
9e05ca442fae59a54d25fced3a156cd7eb00ba4a0ec80e69468a06639b558ee34c6c6509815eb9a10e6f833d34d48832f073fa7c0f4075ee8da16283d0a58d06

Download Submit
memory/2376-136-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4864-133-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/4864-132-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/4864-134-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads