asyncrat | 88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e136f191f0f60e3468e4d2544593790b.exe
Size

586KB
MD5

e136f191f0f60e3468e4d2544593790b
SHA1

4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c
SHA256

88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757
SHA512

d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Score

10^/10

asyncrat wire$$$$$$$$rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WIRE$$$$$$$$

severdops.ddns.net:6204

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
iconfx.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1840-55-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1840-56-0x000000000040C6FE-mapping.dmp	asyncrat
behavioral1/memory/1840-57-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1268-78-0x000000000040C6FE-mapping.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

iconfx.exeiconfx.exe

pid process

576 iconfx.exe
1268 iconfx.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1064 cmd.exe
1064 cmd.exe
1604 WerFault.exe
1604 WerFault.exe
1604 WerFault.exe
1604 WerFault.exe
1604 WerFault.exe

pid	process
576	iconfx.exe
1268	iconfx.exe

pid	process
1064	cmd.exe
1064	cmd.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exeiconfx.exe

description	pid	process	target process
PID 1984 set thread context of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 576 set thread context of 1268	576	iconfx.exe	iconfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1648 1984 WerFault.exe e136f191f0f60e3468e4d2544593790b.exe
1604 576 WerFault.exe iconfx.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1680 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

324 timeout.exe

pid	pid_target	process	target process
1648	1984	WerFault.exe	e136f191f0f60e3468e4d2544593790b.exe
1604	576	WerFault.exe	iconfx.exe

pid	process
1680	schtasks.exe

pid	process
324	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exee136f191f0f60e3468e4d2544593790b.exeWerFault.exe

pid	process
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1840	e136f191f0f60e3468e4d2544593790b.exe
1840	e136f191f0f60e3468e4d2544593790b.exe
1840	e136f191f0f60e3468e4d2544593790b.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

1648 WerFault.exe
1604 WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exeWerFault.exee136f191f0f60e3468e4d2544593790b.exeiconfx.exeWerFault.exeiconfx.exe

description	pid	process
Token: SeDebugPrivilege	1984	e136f191f0f60e3468e4d2544593790b.exe
Token: SeDebugPrivilege	1648	WerFault.exe
Token: SeDebugPrivilege	1840	e136f191f0f60e3468e4d2544593790b.exe
Token: SeDebugPrivilege	576	iconfx.exe
Token: SeDebugPrivilege	1604	WerFault.exe
Token: SeDebugPrivilege	1268	iconfx.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

e136f191f0f60e3468e4d2544593790b.exee136f191f0f60e3468e4d2544593790b.execmd.execmd.exeiconfx.exe

description	pid	process	target process
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1840	1984	e136f191f0f60e3468e4d2544593790b.exe	e136f191f0f60e3468e4d2544593790b.exe
PID 1984 wrote to memory of 1648	1984	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1984 wrote to memory of 1648	1984	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1984 wrote to memory of 1648	1984	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1984 wrote to memory of 1648	1984	e136f191f0f60e3468e4d2544593790b.exe	WerFault.exe
PID 1840 wrote to memory of 1284	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1840 wrote to memory of 1284	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1840 wrote to memory of 1284	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1840 wrote to memory of 1284	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1840 wrote to memory of 1064	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1840 wrote to memory of 1064	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1840 wrote to memory of 1064	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1840 wrote to memory of 1064	1840	e136f191f0f60e3468e4d2544593790b.exe	cmd.exe
PID 1284 wrote to memory of 1680	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 1680	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 1680	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 1680	1284	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 324	1064	cmd.exe	timeout.exe
PID 1064 wrote to memory of 324	1064	cmd.exe	timeout.exe
PID 1064 wrote to memory of 324	1064	cmd.exe	timeout.exe
PID 1064 wrote to memory of 324	1064	cmd.exe	timeout.exe
PID 1064 wrote to memory of 576	1064	cmd.exe	iconfx.exe
PID 1064 wrote to memory of 576	1064	cmd.exe	iconfx.exe
PID 1064 wrote to memory of 576	1064	cmd.exe	iconfx.exe
PID 1064 wrote to memory of 576	1064	cmd.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1268	576	iconfx.exe	iconfx.exe
PID 576 wrote to memory of 1604	576	iconfx.exe	WerFault.exe
PID 576 wrote to memory of 1604	576	iconfx.exe	WerFault.exe
PID 576 wrote to memory of 1604	576	iconfx.exe	WerFault.exe
PID 576 wrote to memory of 1604	576	iconfx.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe
"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe
"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"'
4⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp44CD.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:324

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 660
5⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 640
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp44CD.tmp.bat
MD5
812ad8f53a2d2bd454c9cde739e47cc1

SHA1
d2a9fdf9d2a15f6f473952e4960d6802d4678ff8

SHA256
a9519a3e0c2105c84d61ab35537a1e061a8531dc3ca748a2d743bd38c3494cb0

SHA512
ccf24d3ea7197e710b332c8c9dd6c19f016895b23d0e118bc204e61f3117a158b19d53691310045fc5b3908f5819ad33d0c148f19daa96b9e6b445e96e8c4400

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
C:\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
MD5
e136f191f0f60e3468e4d2544593790b

SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c

SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757

SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874

Download Submit
memory/324-68-0x0000000000000000-mapping.dmp

Download
memory/576-75-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/576-74-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/576-72-0x0000000000000000-mapping.dmp

Download
memory/1064-65-0x0000000000000000-mapping.dmp

Download
memory/1268-78-0x000000000040C6FE-mapping.dmp

Download
memory/1268-91-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1284-64-0x0000000000000000-mapping.dmp

Download
memory/1604-89-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1604-83-0x0000000000000000-mapping.dmp

Download
memory/1648-60-0x0000000000000000-mapping.dmp

Download
memory/1648-61-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1680-67-0x0000000000000000-mapping.dmp

Download
memory/1840-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1840-63-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1840-62-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1840-56-0x000000000040C6FE-mapping.dmp

Download
memory/1840-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1984-53-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1984-52-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1984-54-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/1984-59-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download