Overview

overview

10

Static

static

1

document_viewer.exe

windows7-x64

10

document_viewer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2023 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document_viewer.exe

  • Size

    580KB

  • MD5

    bc1722ec205a1c5ed34b8766971fe608

  • SHA1

    43ded76bf48088b7684879214ad4d66b58ef9a90

  • SHA256

    325076c547bffb21683f5bc023739016ad025c0739a7e122aa7289fa91fc88c2

  • SHA512

    9eee2a624c14281de538b34032457c53276c3dad67b89989e7f95a3e93dae05e87bda13791aa00d8928d4a9845879d164ff900084ad5a120db44e934b0f89465

  • SSDEEP

    12288:bIqDSu4Dsv9thG2SEzak3cgH+/nSsYCrDl0wnhkDsv9t:MqDSu8gLY/nWiuY

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.0

Botnet

Default

C2

179.43.142.197:5789

Mutex

ncarwpqkcbklyda

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 7 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\document_viewer.exe
    "C:\Users\Admin\AppData\Local\Temp\document_viewer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\document_viewer.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sDCoBOTNA.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:780
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sDCoBOTNA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFA8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1984
    • C:\Users\Admin\AppData\Local\Temp\document_viewer.exe
      "C:\Users\Admin\AppData\Local\Temp\document_viewer.exe"
      2⤵
        PID:1844
      • C:\Users\Admin\AppData\Local\Temp\document_viewer.exe
        "C:\Users\Admin\AppData\Local\Temp\document_viewer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:296

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpBFA8.tmp
      Filesize

      1KB

      MD5

      a81475195bfdde24e01c6ed027e3897f

      SHA1

      79f538e823999fcf40173d20af80dfff524b997d

      SHA256

      7f432a871ace64d8c379044affef674ac8cb36aa21f049d2768e3673cf3bef8b

      SHA512

      3e4d16067caf26e9860c564040359852b5cef9b00bc08dc55213fbc0875aa4a26ca693cce0a48286a6c301a40424600023cff72deb17d773571c4db765228ba9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      cb26ad56fd4a5325e33a27ec797b0b52

      SHA1

      07fa85b479aaf5f3f8cc5442a03bbfce01bdaff5

      SHA256

      d0cfa8b72fc227b42e32cc495d575b23cd0152c2d5dbf6f0bc0fc013d465e826

      SHA512

      b45ed029e0dc24b48db9fab9bebec83abeecd98f406f6838d436f503377b17dbcbadccd30f4ce80df95247707fe57d8d38a797919b2241ea3fb5c1198fbd2479

      Download Submit
    • memory/296-77-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/296-72-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/296-68-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/296-71-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/296-83-0x00000000003E0000-0x00000000003EE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/296-75-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/296-70-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/296-73-0x00000000004116AE-mapping.dmp
      Download
    • memory/296-84-0x00000000005B0000-0x00000000005B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/296-67-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/780-61-0x0000000000000000-mapping.dmp
      Download
    • memory/780-81-0x000000006DC20000-0x000000006E1CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/780-79-0x000000006DC20000-0x000000006E1CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/852-56-0x00000000003B0000-0x00000000003C4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/852-58-0x0000000005290000-0x00000000052F8000-memory.dmp
      Filesize

      416KB

      Download
    • memory/852-66-0x0000000004AA0000-0x0000000004ABA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/852-54-0x0000000000830000-0x00000000008C8000-memory.dmp
      Filesize

      608KB

      Download
    • memory/852-55-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/852-57-0x0000000000420000-0x000000000042C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1352-80-0x000000006DC20000-0x000000006E1CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1352-82-0x000000006DC20000-0x000000006E1CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1352-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-62-0x0000000000000000-mapping.dmp
      Download