Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Notificati...23.exe

windows7-x64

10

Notificati...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2023, 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notification of transfer made - Santander142023.exe

  • Size

    168KB

  • MD5

    460c5e2904724e5babe7c3f7eaaf8de9

  • SHA1

    a648b18830c27850fe651e6601792a7676c18c94

  • SHA256

    e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

  • SHA512

    31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

  • SSDEEP

    3072:2L31ZGgcsKuvP6Thmcy6bzVprBAs6UKoq0yiw7bWbJ:83ugdvP6K6b/rBAsq/iwQ

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

donelpacino.ddns.net:5500

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 8 IoCs
    rat
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe
    "C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe
      "C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe"
      2⤵
        PID:740
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\notepad"
        2⤵
          PID:2624
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:852
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe" "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
          2⤵
            PID:2744
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {468DCE6E-CB96-44D8-947E-218079501F05} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
            C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2012
            • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
              "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
              3⤵
              • Executes dropped EXE
              PID:1264
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\notepad"
              3⤵
                PID:2828
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe" "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
                3⤵
                  PID:2992
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2988
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
                    4⤵
                    • Creates scheduled task(s)
                    PID:1932
              • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1752
                • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                  "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:2556
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\notepad"
                  3⤵
                    PID:1928
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
                    3⤵
                      PID:1592
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
                        4⤵
                        • Creates scheduled task(s)
                        PID:1260
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd" /c copy "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe" "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
                      3⤵
                        PID:1268

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                    Filesize

                    168KB

                    MD5

                    460c5e2904724e5babe7c3f7eaaf8de9

                    SHA1

                    a648b18830c27850fe651e6601792a7676c18c94

                    SHA256

                    e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

                    SHA512

                    31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                    Filesize

                    168KB

                    MD5

                    460c5e2904724e5babe7c3f7eaaf8de9

                    SHA1

                    a648b18830c27850fe651e6601792a7676c18c94

                    SHA256

                    e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

                    SHA512

                    31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                    Filesize

                    168KB

                    MD5

                    460c5e2904724e5babe7c3f7eaaf8de9

                    SHA1

                    a648b18830c27850fe651e6601792a7676c18c94

                    SHA256

                    e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

                    SHA512

                    31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                    Filesize

                    168KB

                    MD5

                    460c5e2904724e5babe7c3f7eaaf8de9

                    SHA1

                    a648b18830c27850fe651e6601792a7676c18c94

                    SHA256

                    e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

                    SHA512

                    31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
                    Filesize

                    168KB

                    MD5

                    460c5e2904724e5babe7c3f7eaaf8de9

                    SHA1

                    a648b18830c27850fe651e6601792a7676c18c94

                    SHA256

                    e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

                    SHA512

                    31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

                    Download Submit

                  • memory/740-7-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/740-15-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/740-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/740-4-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/740-6-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/740-12-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/740-14-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/740-10-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/740-5-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/740-19-0x00000000048A0000-0x00000000048E0000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/740-20-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1264-40-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1264-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1264-42-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1752-45-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1752-46-0x00000000047E0000-0x0000000004820000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/1752-64-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/2012-41-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/2012-23-0x0000000000F80000-0x0000000000FAE000-memory.dmp

                    Filesize

                    184KB

                    Download

                  • memory/2012-25-0x0000000000970000-0x00000000009B0000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2012-24-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/2076-1-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/2076-0-0x0000000001300000-0x000000000132E000-memory.dmp

                    Filesize

                    184KB

                    Download

                  • memory/2076-2-0x0000000000650000-0x0000000000690000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2076-16-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/2076-3-0x0000000000430000-0x000000000044E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2556-63-0x0000000000080000-0x0000000000092000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/2556-60-0x0000000000080000-0x0000000000092000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/2556-56-0x0000000000080000-0x0000000000092000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/2556-65-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/2556-66-0x0000000004E00000-0x0000000004E40000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2556-67-0x00000000740F0000-0x00000000747DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download