Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 10:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
SCRSHOT02.scr.exe
Resource
win7-20230220-en
windows7-x64
8 signatures
150 seconds
General
-
Target
SCRSHOT02.scr.exe
-
Size
255KB
-
MD5
cc54630cfed370da5d83b5c3d0ee9ec4
-
SHA1
d18ba6e2d8e877bc0bec89536087f49a4bf32921
-
SHA256
1270491bd3068a4159eee0ad8c8d6871cf0ba80cac9fd749a7e9d1c02f6f3653
-
SHA512
1b7a78bb5303e97cb74896d68d6094a050e8859a2b944840619ad3b589a4654d292363e3afce33a7fd2d1805ead532ba706951149a9742f5040f2252d17b695a
-
SSDEEP
3072:FRsjupfBVcoFDzbtu/c762soY8zyCy0A:MKxBVjF3bc/cpsoYSHA
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
iphy1.duckdns.org:8808
Mutex
AsyncMutex_6SI8OkPnkg
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2600-137-0x0000000000710000-0x0000000000722000-memory.dmp asyncrat -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 388 set thread context of 2600 388 SCRSHOT02.scr.exe 83 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4148 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 388 SCRSHOT02.scr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2600 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 2600 388 SCRSHOT02.scr.exe 83 PID 388 wrote to memory of 4328 388 SCRSHOT02.scr.exe 84 PID 388 wrote to memory of 4328 388 SCRSHOT02.scr.exe 84 PID 388 wrote to memory of 4328 388 SCRSHOT02.scr.exe 84 PID 388 wrote to memory of 4532 388 SCRSHOT02.scr.exe 86 PID 388 wrote to memory of 4532 388 SCRSHOT02.scr.exe 86 PID 388 wrote to memory of 4532 388 SCRSHOT02.scr.exe 86 PID 4532 wrote to memory of 4148 4532 cmd.exe 88 PID 4532 wrote to memory of 4148 4532 cmd.exe 88 PID 4532 wrote to memory of 4148 4532 cmd.exe 88 PID 388 wrote to memory of 804 388 SCRSHOT02.scr.exe 89 PID 388 wrote to memory of 804 388 SCRSHOT02.scr.exe 89 PID 388 wrote to memory of 804 388 SCRSHOT02.scr.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCRSHOT02.scr.exe"C:\Users\Admin\AppData\Local\Temp\SCRSHOT02.scr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\winpr01"2⤵PID:4328
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winpr01\winpr01.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winpr01\winpr01.exe'" /f3⤵
- Creates scheduled task(s)
PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SCRSHOT02.scr.exe" "C:\Users\Admin\AppData\Roaming\winpr01\winpr01.exe"2⤵PID:804
-