asyncrat | 88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

General

Target

e136f191f0f60e3468e4d2544593790b.exe
Size

586KB
MD5

e136f191f0f60e3468e4d2544593790b
SHA1

4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c
SHA256

88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757
SHA512

d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Score

10^/10

asyncrat wire$$$$$$$$rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WIRE$$$$$$$$

C2

severdops.ddns.net:6204

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
iconfx.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3964-122-0x000000000040C6FE-mapping.dmp	asyncrat
behavioral2/memory/3964-121-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1852-143-0x000000000040C6FE-mapping.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

iconfx.exeiconfx.exe

pid process

1296 iconfx.exe
1852 iconfx.exe

pid	process
1296	iconfx.exe
1852	iconfx.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exeiconfx.exe

description	pid	process	target process
PID 2700 set thread context of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1296 set thread context of 1852	1296	iconfx.exe	iconfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2780 2700 WerFault.exe e136f191f0f60e3468e4d2544593790b.exe
2184 1296 WerFault.exe iconfx.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

948 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1120 timeout.exe

pid	pid_target	process	target process
2780	2700	WerFault.exe	e136f191f0f60e3468e4d2544593790b.exe
2184	1296	WerFault.exe	iconfx.exe

pid	process
948	schtasks.exe

pid	process
1120	timeout.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

WerFault.exee136f191f0f60e3468e4d2544593790b.exeWerFault.exe

pid	process
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
3964	e136f191f0f60e3468e4d2544593790b.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exeWerFault.exee136f191f0f60e3468e4d2544593790b.exeiconfx.exeWerFault.exeiconfx.exe

description	pid	process
Token: SeDebugPrivilege	2700	e136f191f0f60e3468e4d2544593790b.exe
Token: SeRestorePrivilege	2780	WerFault.exe
Token: SeBackupPrivilege	2780	WerFault.exe
Token: SeDebugPrivilege	2780	WerFault.exe
Token: SeDebugPrivilege	3964	e136f191f0f60e3468e4d2544593790b.exe
Token: SeDebugPrivilege	1296	iconfx.exe
Token: SeDebugPrivilege	2184	WerFault.exe
Token: SeDebugPrivilege	1852	iconfx.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exee136f191f0f60e3468e4d2544593790b.execmd.execmd.exeiconfx.exe

description	pid	process	target process
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 2700 wrote to memory of 3964	2700	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 3964 wrote to memory of 644	3964	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 3964 wrote to memory of 644	3964	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 3964 wrote to memory of 644	3964	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 3964 wrote to memory of 2568	3964	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 3964 wrote to memory of 2568	3964	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 3964 wrote to memory of 2568	3964	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 644 wrote to memory of 948	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 948	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 948	644	cmd.exe	schtasks.exe
PID 2568 wrote to memory of 1120	2568	cmd.exe	timeout.exe
PID 2568 wrote to memory of 1120	2568	cmd.exe	timeout.exe
PID 2568 wrote to memory of 1120	2568	cmd.exe	timeout.exe
PID 2568 wrote to memory of 1296	2568	cmd.exe	iconfx.exe
PID 2568 wrote to memory of 1296	2568	cmd.exe	iconfx.exe
PID 2568 wrote to memory of 1296	2568	cmd.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe
PID 1296 wrote to memory of 1852	1296	iconfx.exe	iconfx.exe

C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe
"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe
"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"'
4⤵
- Creates scheduled task(s)
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C6B.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1120

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1116
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1084
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6C6B.tmp.bat
MD5
113b7bb336af71a200a54192308bf7ce

SHA1
046345d4d9b2eec57ab38dfaeac8467e07fa10ff

SHA256
4b02e18428750e208357d8d84214bf43692a18409a67ba13ccdd3b11be3a7ca5

SHA512
4c091fc7cba5d0b7beb870d8cb92dbc0857ecea7af7259218b14aacc505697089bab34a60f102add791dc2718cd7c125759e2f7eee7c2feb45c4c9c00a544205

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
memory/644-128-0x0000000000000000-mapping.dmp

Download
memory/948-131-0x0000000000000000-mapping.dmp

Download
memory/1120-132-0x0000000000000000-mapping.dmp

Download
memory/1296-139-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/1296-133-0x0000000000000000-mapping.dmp

Download
memory/1852-148-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/1852-143-0x000000000040C6FE-mapping.dmp

Download
memory/2568-129-0x0000000000000000-mapping.dmp

Download
memory/2700-120-0x0000000004C40000-0x0000000004C51000-memory.dmp

Filesize
68KB

Download
memory/2700-123-0x0000000004D10000-0x0000000004D13000-memory.dmp

Filesize
12KB

Download
memory/2700-115-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2700-119-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2700-118-0x0000000004CA0000-0x000000000519E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-117-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2700-116-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3964-126-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/3964-125-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3964-121-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3964-122-0x000000000040C6FE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads