Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 11:25
Static task
static1
Behavioral task
behavioral1
Sample
DOC_20221012_094045716/DOC_20221012_094045716.scr
Resource
win7-20241023-en
General
-
Target
DOC_20221012_094045716/DOC_20221012_094045716.scr
-
Size
406.0MB
-
MD5
e95cc5f4f2be88cdd778ddb951e287e4
-
SHA1
478fca06aeb68ab97d2e99c1436b4cc3370ec6d9
-
SHA256
e5b25e4f90530ff9fad1f617d8347f497a8bdba07e707f522564132a5bfab0b5
-
SHA512
23f420f9e904ab6b2d8954ef2232cd8b84560c8f856bc83e74d8eb17228def2dc6be09db8aa7f8a67d5914be2e2e228cd483d818602a79397f96c709c5e5c49a
-
SSDEEP
3072:M+rR+Y6VgvQdJK0vtNZg/V7S+O+dvvAun:M+BFI3vtNZNH+dv
Malware Config
Extracted
asyncrat
0.5.7B
Oct 11
donzola.duckdns.org:2000
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Executes dropped EXE 3 IoCs
pid Process 692 Windows Media Player Network Sharing Service.exe 1960 Windows Media Player Network Sharing Service.exe 960 Windows Media Player Network Sharing Service.exe -
Loads dropped DLL 1 IoCs
pid Process 692 Windows Media Player Network Sharing Service.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2408 set thread context of 2964 2408 DOC_20221012_094045716.scr 32 PID 692 set thread context of 1960 692 Windows Media Player Network Sharing Service.exe 42 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Media Player Network Sharing Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOC_20221012_094045716.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOC_20221012_094045716.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Media Player Network Sharing Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Media Player Network Sharing Service.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2968 schtasks.exe 2492 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2964 DOC_20221012_094045716.scr -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2964 2408 DOC_20221012_094045716.scr 32 PID 2408 wrote to memory of 2808 2408 DOC_20221012_094045716.scr 33 PID 2408 wrote to memory of 2808 2408 DOC_20221012_094045716.scr 33 PID 2408 wrote to memory of 2808 2408 DOC_20221012_094045716.scr 33 PID 2408 wrote to memory of 2808 2408 DOC_20221012_094045716.scr 33 PID 2408 wrote to memory of 2728 2408 DOC_20221012_094045716.scr 34 PID 2408 wrote to memory of 2728 2408 DOC_20221012_094045716.scr 34 PID 2408 wrote to memory of 2728 2408 DOC_20221012_094045716.scr 34 PID 2408 wrote to memory of 2728 2408 DOC_20221012_094045716.scr 34 PID 2408 wrote to memory of 2980 2408 DOC_20221012_094045716.scr 35 PID 2408 wrote to memory of 2980 2408 DOC_20221012_094045716.scr 35 PID 2408 wrote to memory of 2980 2408 DOC_20221012_094045716.scr 35 PID 2408 wrote to memory of 2980 2408 DOC_20221012_094045716.scr 35 PID 2728 wrote to memory of 2968 2728 cmd.exe 39 PID 2728 wrote to memory of 2968 2728 cmd.exe 39 PID 2728 wrote to memory of 2968 2728 cmd.exe 39 PID 2728 wrote to memory of 2968 2728 cmd.exe 39 PID 3032 wrote to memory of 692 3032 taskeng.exe 41 PID 3032 wrote to memory of 692 3032 taskeng.exe 41 PID 3032 wrote to memory of 692 3032 taskeng.exe 41 PID 3032 wrote to memory of 692 3032 taskeng.exe 41 PID 3032 wrote to memory of 692 3032 taskeng.exe 41 PID 3032 wrote to memory of 692 3032 taskeng.exe 41 PID 3032 wrote to memory of 692 3032 taskeng.exe 41 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1960 692 Windows Media Player Network Sharing Service.exe 42 PID 692 wrote to memory of 1224 692 Windows Media Player Network Sharing Service.exe 43 PID 692 wrote to memory of 1224 692 Windows Media Player Network Sharing Service.exe 43 PID 692 wrote to memory of 1224 692 Windows Media Player Network Sharing Service.exe 43 PID 692 wrote to memory of 1224 692 Windows Media Player Network Sharing Service.exe 43 PID 692 wrote to memory of 2088 692 Windows Media Player Network Sharing Service.exe 44 PID 692 wrote to memory of 2088 692 Windows Media Player Network Sharing Service.exe 44 PID 692 wrote to memory of 2088 692 Windows Media Player Network Sharing Service.exe 44 PID 692 wrote to memory of 2088 692 Windows Media Player Network Sharing Service.exe 44 PID 692 wrote to memory of 2052 692 Windows Media Player Network Sharing Service.exe 45 PID 692 wrote to memory of 2052 692 Windows Media Player Network Sharing Service.exe 45 PID 692 wrote to memory of 2052 692 Windows Media Player Network Sharing Service.exe 45 PID 692 wrote to memory of 2052 692 Windows Media Player Network Sharing Service.exe 45 PID 2088 wrote to memory of 2492 2088 cmd.exe 49 PID 2088 wrote to memory of 2492 2088 cmd.exe 49 PID 2088 wrote to memory of 2492 2088 cmd.exe 49 PID 2088 wrote to memory of 2492 2088 cmd.exe 49 PID 3032 wrote to memory of 960 3032 taskeng.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr"C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr"C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"2⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EF42E0A2-0D5D-4BB2-A896-3AC2ECCE554B} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"3⤵
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960
-