Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 11:25
Static task
static1
Behavioral task
behavioral1
Sample
DOC_20221012_094045716/DOC_20221012_094045716.scr
Resource
win7-20241023-en
General
-
Target
DOC_20221012_094045716/DOC_20221012_094045716.scr
-
Size
406.0MB
-
MD5
e95cc5f4f2be88cdd778ddb951e287e4
-
SHA1
478fca06aeb68ab97d2e99c1436b4cc3370ec6d9
-
SHA256
e5b25e4f90530ff9fad1f617d8347f497a8bdba07e707f522564132a5bfab0b5
-
SHA512
23f420f9e904ab6b2d8954ef2232cd8b84560c8f856bc83e74d8eb17228def2dc6be09db8aa7f8a67d5914be2e2e228cd483d818602a79397f96c709c5e5c49a
-
SSDEEP
3072:M+rR+Y6VgvQdJK0vtNZg/V7S+O+dvvAun:M+BFI3vtNZNH+dv
Malware Config
Extracted
asyncrat
0.5.7B
Oct 11
donzola.duckdns.org:2000
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Executes dropped EXE 3 IoCs
pid Process 404 Windows Media Player Network Sharing Service.exe 1196 Windows Media Player Network Sharing Service.exe 3472 Windows Media Player Network Sharing Service.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4732 set thread context of 2544 4732 DOC_20221012_094045716.scr 89 PID 404 set thread context of 1196 404 Windows Media Player Network Sharing Service.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Media Player Network Sharing Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Media Player Network Sharing Service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOC_20221012_094045716.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOC_20221012_094045716.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Media Player Network Sharing Service.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4740 schtasks.exe 1496 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2544 DOC_20221012_094045716.scr -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 2544 4732 DOC_20221012_094045716.scr 89 PID 4732 wrote to memory of 4896 4732 DOC_20221012_094045716.scr 90 PID 4732 wrote to memory of 4896 4732 DOC_20221012_094045716.scr 90 PID 4732 wrote to memory of 4896 4732 DOC_20221012_094045716.scr 90 PID 4732 wrote to memory of 2284 4732 DOC_20221012_094045716.scr 91 PID 4732 wrote to memory of 2284 4732 DOC_20221012_094045716.scr 91 PID 4732 wrote to memory of 2284 4732 DOC_20221012_094045716.scr 91 PID 4732 wrote to memory of 3292 4732 DOC_20221012_094045716.scr 92 PID 4732 wrote to memory of 3292 4732 DOC_20221012_094045716.scr 92 PID 4732 wrote to memory of 3292 4732 DOC_20221012_094045716.scr 92 PID 2284 wrote to memory of 1496 2284 cmd.exe 96 PID 2284 wrote to memory of 1496 2284 cmd.exe 96 PID 2284 wrote to memory of 1496 2284 cmd.exe 96 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 1196 404 Windows Media Player Network Sharing Service.exe 99 PID 404 wrote to memory of 3320 404 Windows Media Player Network Sharing Service.exe 100 PID 404 wrote to memory of 3320 404 Windows Media Player Network Sharing Service.exe 100 PID 404 wrote to memory of 3320 404 Windows Media Player Network Sharing Service.exe 100 PID 404 wrote to memory of 4700 404 Windows Media Player Network Sharing Service.exe 101 PID 404 wrote to memory of 4700 404 Windows Media Player Network Sharing Service.exe 101 PID 404 wrote to memory of 4700 404 Windows Media Player Network Sharing Service.exe 101 PID 404 wrote to memory of 1272 404 Windows Media Player Network Sharing Service.exe 103 PID 404 wrote to memory of 1272 404 Windows Media Player Network Sharing Service.exe 103 PID 404 wrote to memory of 1272 404 Windows Media Player Network Sharing Service.exe 103 PID 4700 wrote to memory of 4740 4700 cmd.exe 106 PID 4700 wrote to memory of 4740 4700 cmd.exe 106 PID 4700 wrote to memory of 4740 4700 cmd.exe 106 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108 PID 3472 wrote to memory of 1328 3472 Windows Media Player Network Sharing Service.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr"C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr"C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"2⤵
- System Location Discovery: System Language Discovery
PID:4896
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716\DOC_20221012_094045716.scr" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1196
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"2⤵
- System Location Discovery: System Language Discovery
PID:3320
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4740
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"2⤵PID:1328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Media Player Network Sharing Service.exe.log
Filesize612B
MD54bc94363628f46b343c5e8e2da62ca26
SHA18a41ac46e24d790e11a407d0e957c4a6be6056c4
SHA256c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a
SHA512cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829