asyncrat | 799763440e6afd098c97b79ac8e9e947bc49b69b311e98ceee8b9153ce9397e6

General

Target

IMG_212022100120011.exe
Size

69KB
MD5

cecfdefc8f201d03066386a9a6b011f0
SHA1

fd451496139859f387cfef71404d50d042297ca0
SHA256

5b476b935cae4bf02299f7dee135b0bb091fd7716b2973d7172e04f4f2985d72
SHA512

aed76f8f33573fc1b62fd9e194e797fbccb7209e526ef6dc980882c6b889db6b6742e88d8fad0e0e29bc4620b7ae857be02cab380439cb231748c1fbc3d2fd8b

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4016-121-0x0000000000400000-0x000000000041A000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMG_212022100120011.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mword = "\"C:\\Users\\Admin\\AppData\\Roaming\\Word\\Mword.exe\""	IMG_212022100120011.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG_212022100120011.exe

description pid process target process

PID 808 set thread context of 4016 808 IMG_212022100120011.exe IMG_212022100120011.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 808 set thread context of 4016	808	IMG_212022100120011.exe	IMG_212022100120011.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
860	PING.EXE
2932	PING.EXE
1956	PING.EXE
1436	PING.EXE
1656	PING.EXE
2028	PING.EXE
3016	PING.EXE
3148	PING.EXE
836	PING.EXE
4044	PING.EXE
4080	PING.EXE
1252	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

IMG_212022100120011.exe

pid	process
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe
808	IMG_212022100120011.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

IMG_212022100120011.exeIMG_212022100120011.exe

description pid process

Token: SeDebugPrivilege 808 IMG_212022100120011.exe
Token: SeDebugPrivilege 4016 IMG_212022100120011.exe

description	pid	process
Token: SeDebugPrivilege	808	IMG_212022100120011.exe
Token: SeDebugPrivilege	4016	IMG_212022100120011.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

IMG_212022100120011.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 3088	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 3088	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 3088	808	IMG_212022100120011.exe	cmd.exe
PID 3088 wrote to memory of 860	3088	cmd.exe	PING.EXE
PID 3088 wrote to memory of 860	3088	cmd.exe	PING.EXE
PID 3088 wrote to memory of 860	3088	cmd.exe	PING.EXE
PID 808 wrote to memory of 1092	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1092	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1092	808	IMG_212022100120011.exe	cmd.exe
PID 1092 wrote to memory of 3148	1092	cmd.exe	PING.EXE
PID 1092 wrote to memory of 3148	1092	cmd.exe	PING.EXE
PID 1092 wrote to memory of 3148	1092	cmd.exe	PING.EXE
PID 808 wrote to memory of 2948	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 2948	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 2948	808	IMG_212022100120011.exe	cmd.exe
PID 2948 wrote to memory of 836	2948	cmd.exe	PING.EXE
PID 2948 wrote to memory of 836	2948	cmd.exe	PING.EXE
PID 2948 wrote to memory of 836	2948	cmd.exe	PING.EXE
PID 808 wrote to memory of 4024	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 4024	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 4024	808	IMG_212022100120011.exe	cmd.exe
PID 4024 wrote to memory of 4044	4024	cmd.exe	PING.EXE
PID 4024 wrote to memory of 4044	4024	cmd.exe	PING.EXE
PID 4024 wrote to memory of 4044	4024	cmd.exe	PING.EXE
PID 808 wrote to memory of 3244	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 3244	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 3244	808	IMG_212022100120011.exe	cmd.exe
PID 3244 wrote to memory of 4080	3244	cmd.exe	PING.EXE
PID 3244 wrote to memory of 4080	3244	cmd.exe	PING.EXE
PID 3244 wrote to memory of 4080	3244	cmd.exe	PING.EXE
PID 808 wrote to memory of 1368	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1368	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1368	808	IMG_212022100120011.exe	cmd.exe
PID 1368 wrote to memory of 2932	1368	cmd.exe	PING.EXE
PID 1368 wrote to memory of 2932	1368	cmd.exe	PING.EXE
PID 1368 wrote to memory of 2932	1368	cmd.exe	PING.EXE
PID 808 wrote to memory of 1068	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1068	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1068	808	IMG_212022100120011.exe	cmd.exe
PID 1068 wrote to memory of 1252	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 1252	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 1252	1068	cmd.exe	PING.EXE
PID 808 wrote to memory of 720	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 720	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 720	808	IMG_212022100120011.exe	cmd.exe
PID 720 wrote to memory of 1956	720	cmd.exe	PING.EXE
PID 720 wrote to memory of 1956	720	cmd.exe	PING.EXE
PID 720 wrote to memory of 1956	720	cmd.exe	PING.EXE
PID 808 wrote to memory of 2012	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 2012	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 2012	808	IMG_212022100120011.exe	cmd.exe
PID 2012 wrote to memory of 1436	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 1436	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 1436	2012	cmd.exe	PING.EXE
PID 808 wrote to memory of 1376	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1376	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 1376	808	IMG_212022100120011.exe	cmd.exe
PID 1376 wrote to memory of 1656	1376	cmd.exe	PING.EXE
PID 1376 wrote to memory of 1656	1376	cmd.exe	PING.EXE
PID 1376 wrote to memory of 1656	1376	cmd.exe	PING.EXE
PID 808 wrote to memory of 3520	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 3520	808	IMG_212022100120011.exe	cmd.exe
PID 808 wrote to memory of 3520	808	IMG_212022100120011.exe	cmd.exe
PID 3520 wrote to memory of 2028	3520	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:3148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:4044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:4080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:1436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
PID:2300

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:3016

C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
2⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
2⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG_212022100120011.exe.log
MD5
991efa4b1d1cef138f583ef9ff666f21

SHA1
0d3b02820022451b81975ec3b34e5770565c91f8

SHA256
8a1a561eebd06d4022277ff39450dceb5fdc0ffc343d9cf9c84a0d8e874d09e9

SHA512
1dfc75426fab9e402fd35c8f4b200790f4b7e6241f128d81e6996aaa427742a1dff7e6db6e321c1c4d76bef631bcf07102bf7940cf59b5f5b4618fc7687da909

Download Submit
memory/808-115-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/808-116-0x0000000004A30000-0x0000000004CB1000-memory.dmp

Filesize
2.5MB

Download
memory/808-117-0x0000000004C40000-0x0000000004C8C000-memory.dmp

Filesize
304KB

Download
memory/808-118-0x0000000005530000-0x0000000005564000-memory.dmp

Filesize
208KB

Download
memory/808-119-0x00000000057E0000-0x000000000582C000-memory.dmp

Filesize
304KB

Download
memory/808-120-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/4016-121-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4016-123-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4016-124-0x0000000002F00000-0x0000000002F0A000-memory.dmp

Filesize
40KB

Download
memory/4016-125-0x0000000005A10000-0x0000000005AAC000-memory.dmp

Filesize
624KB

Download
memory/4016-126-0x0000000005FB0000-0x00000000064AE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads