asyncrat | 88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e136f191f0f60e3468e4d2544593790b.exe
Size

586KB
MD5

e136f191f0f60e3468e4d2544593790b
SHA1

4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c
SHA256

88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757
SHA512

d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Score

10^/10

asyncrat wire$$$$$$$$rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WIRE$$$$$$$$

severdops.ddns.net:6204

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
iconfx.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1672-56-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1672-57-0x000000000040C6FE-mapping.dmp	asyncrat
behavioral1/memory/1672-59-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1076-79-0x000000000040C6FE-mapping.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

iconfx.exeiconfx.exe

pid process

1832 iconfx.exe
1076 iconfx.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1200 cmd.exe
1200 cmd.exe
1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe

pid	process
1832	iconfx.exe
1076	iconfx.exe

pid	process
1200	cmd.exe
1200	cmd.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exeiconfx.exe

description	pid	process	target process
PID 1960 set thread context of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1832 set thread context of 1076	1832	iconfx.exe	iconfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2040 1960 WerFault.exe e136f191f0f60e3468e4d2544593790b.exe
1548 1832 WerFault.exe iconfx.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

448 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1068 timeout.exe

pid	pid_target	process	target process
2040	1960	WerFault.exe	e136f191f0f60e3468e4d2544593790b.exe
1548	1832	WerFault.exe	iconfx.exe

pid	process
448	schtasks.exe

pid	process
1068	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exee136f191f0f60e3468e4d2544593790b.exeWerFault.exe

pid	process
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
1672	e136f191f0f60e3468e4d2544593790b.exe
1672	e136f191f0f60e3468e4d2544593790b.exe
1672	e136f191f0f60e3468e4d2544593790b.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

2040 WerFault.exe
1548 WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exeWerFault.exee136f191f0f60e3468e4d2544593790b.exeiconfx.exeWerFault.exeiconfx.exe

description	pid	process
Token: SeDebugPrivilege	1960	e136f191f0f60e3468e4d2544593790b.exe
Token: SeDebugPrivilege	2040	WerFault.exe
Token: SeDebugPrivilege	1672	e136f191f0f60e3468e4d2544593790b.exe
Token: SeDebugPrivilege	1832	iconfx.exe
Token: SeDebugPrivilege	1548	WerFault.exe
Token: SeDebugPrivilege	1076	iconfx.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exee136f191f0f60e3468e4d2544593790b.execmd.execmd.exeiconfx.exe

description	pid	process	target process
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 1672	1960	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1960 wrote to memory of 2040	1960	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1960 wrote to memory of 2040	1960	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1960 wrote to memory of 2040	1960	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1960 wrote to memory of 2040	1960	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1672 wrote to memory of 772	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1672 wrote to memory of 772	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1672 wrote to memory of 772	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1672 wrote to memory of 772	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1672 wrote to memory of 1200	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1672 wrote to memory of 1200	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1672 wrote to memory of 1200	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1672 wrote to memory of 1200	1672	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 772 wrote to memory of 448	772	cmd.exe	schtasks.exe
PID 772 wrote to memory of 448	772	cmd.exe	schtasks.exe
PID 772 wrote to memory of 448	772	cmd.exe	schtasks.exe
PID 772 wrote to memory of 448	772	cmd.exe	schtasks.exe
PID 1200 wrote to memory of 1068	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 1068	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 1068	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 1068	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 1832	1200	cmd.exe	iconfx.exe
PID 1200 wrote to memory of 1832	1200	cmd.exe	iconfx.exe
PID 1200 wrote to memory of 1832	1200	cmd.exe	iconfx.exe
PID 1200 wrote to memory of 1832	1200	cmd.exe	iconfx.exe
PID 1832 wrote to memory of 1096	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1096	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1096	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1096	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1104	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1104	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1104	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1104	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1076	1832	iconfx.exe	iconfx.exe
PID 1832 wrote to memory of 1548	1832	iconfx.exe	WerFault.exe
PID 1832 wrote to memory of 1548	1832	iconfx.exe	WerFault.exe
PID 1832 wrote to memory of 1548	1832	iconfx.exe	WerFault.exe
PID 1832 wrote to memory of 1548	1832	iconfx.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe
"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe
"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"'
4⤵
- Creates scheduled task(s)
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5734.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1068

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
5⤵
PID:1096

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
5⤵
PID:1104

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 668
5⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 644
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5734.tmp.bat
MD5
766691810939806bb216f3eef1ce52a4

SHA1
6ad7824c8fa00c8cd7e8f496d2be059b7547b973

SHA256
174e584c9ec9baeeb7693ae19ab26ff68079973f0ad1b4133a98881c0eb14497

SHA512
307ef3c8739230cb0f31d60706793a9880321a40af6fb89ce6354d474ab76b11c30daa208ea4023daad0c2abcc91cecc935a4f6de8a5fb679d4f61d51e645934

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
memory/448-68-0x0000000000000000-mapping.dmp

Download
memory/772-65-0x0000000000000000-mapping.dmp

Download
memory/1068-69-0x0000000000000000-mapping.dmp

Download
memory/1076-92-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1076-79-0x000000000040C6FE-mapping.dmp

Download
memory/1200-66-0x0000000000000000-mapping.dmp

Download
memory/1548-84-0x0000000000000000-mapping.dmp

Download
memory/1548-90-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1672-63-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/1672-64-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1672-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-57-0x000000000040C6FE-mapping.dmp

Download
memory/1832-75-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1832-76-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1832-73-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1960-53-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1960-55-0x0000000000580000-0x0000000000591000-memory.dmp

Filesize
68KB

Download
memory/1960-58-0x0000000000490000-0x0000000000493000-memory.dmp

Filesize
12KB

Download
memory/2040-62-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download