Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Notificati...23.exe

windows7-x64

10

Notificati...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notification of transfer made - Santander142023.exe

  • Size

    168KB

  • MD5

    460c5e2904724e5babe7c3f7eaaf8de9

  • SHA1

    a648b18830c27850fe651e6601792a7676c18c94

  • SHA256

    e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

  • SHA512

    31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

  • SSDEEP

    3072:2L31ZGgcsKuvP6Thmcy6bzVprBAs6UKoq0yiw7bWbJ:83ugdvP6K6b/rBAsq/iwQ

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

donelpacino.ddns.net:5500

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe
    "C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe
      "C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe"
      2⤵
        PID:2080
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\notepad"
        2⤵
          PID:2596
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:4868
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Notification of transfer made - Santander142023.exe" "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
          2⤵
            PID:1240
        • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
          C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
            "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
            2⤵
            • Executes dropped EXE
            PID:4552
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\notepad"
            2⤵
              PID:456
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3184
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
                3⤵
                • Creates scheduled task(s)
                PID:4796
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c copy "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe" "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
              2⤵
                PID:1576

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\notepad.exe.log
              Filesize

              520B

              MD5

              03febbff58da1d3318c31657d89c8542

              SHA1

              c9e017bd9d0a4fe533795b227c855935d86c2092

              SHA256

              5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

              SHA512

              3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

              Download Submit

            • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
              Filesize

              168KB

              MD5

              460c5e2904724e5babe7c3f7eaaf8de9

              SHA1

              a648b18830c27850fe651e6601792a7676c18c94

              SHA256

              e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

              SHA512

              31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

              Download Submit

            • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
              Filesize

              168KB

              MD5

              460c5e2904724e5babe7c3f7eaaf8de9

              SHA1

              a648b18830c27850fe651e6601792a7676c18c94

              SHA256

              e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

              SHA512

              31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

              Download Submit

            • C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
              Filesize

              168KB

              MD5

              460c5e2904724e5babe7c3f7eaaf8de9

              SHA1

              a648b18830c27850fe651e6601792a7676c18c94

              SHA256

              e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

              SHA512

              31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

              Download Submit

            • memory/2080-10-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2080-16-0x0000000004E10000-0x0000000004E20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2080-11-0x0000000004E10000-0x0000000004E20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2080-8-0x00000000007A0000-0x00000000007B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2080-9-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3572-5-0x0000000005520000-0x000000000553E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3572-2-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3572-15-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3572-0-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3572-4-0x0000000005570000-0x0000000005580000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3572-3-0x0000000005B30000-0x00000000060D4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3572-6-0x0000000005570000-0x0000000005580000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3572-1-0x0000000000B70000-0x0000000000B9E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/4552-25-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4552-27-0x0000000004C80000-0x0000000004C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4552-28-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4900-20-0x0000000005650000-0x0000000005660000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4900-19-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4900-26-0x0000000074FD0000-0x0000000075780000-memory.dmp

              Filesize

              7.7MB

              Download