asyncrat | 7226d29a62bfc505a5cd9c8d13603237821caa5075bea311f095272334827e58

Analysis

max time kernel
364s
max time network
600s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.ps1
Size

316KB
MD5

da2ba0198037e33b0d775ea03da6169e
SHA1

6f195cfa87f25ece7ac46c96db03ff05e057abdc
SHA256

7226d29a62bfc505a5cd9c8d13603237821caa5075bea311f095272334827e58
SHA512

96489864076cdd83acf860bb50f055f45f4530f31d9c4d147f3bbd42182e02001502588ff43ae74882cf99a7f65dc1dd749c8133225e5158bac5c7f699d59320

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1436-245-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2360 set thread context of 1436 2360 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings powershell.exe

description	pid	process	target process
PID 2360 set thread context of 1436	2360	powershell.exe	aspnet_compiler.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2732	powershell.exe
2732	powershell.exe
2732	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeIncreaseQuotaPrivilege	740	powershell.exe
Token: SeSecurityPrivilege	740	powershell.exe
Token: SeTakeOwnershipPrivilege	740	powershell.exe
Token: SeLoadDriverPrivilege	740	powershell.exe
Token: SeSystemProfilePrivilege	740	powershell.exe
Token: SeSystemtimePrivilege	740	powershell.exe
Token: SeProfSingleProcessPrivilege	740	powershell.exe
Token: SeIncBasePriorityPrivilege	740	powershell.exe
Token: SeCreatePagefilePrivilege	740	powershell.exe
Token: SeBackupPrivilege	740	powershell.exe
Token: SeRestorePrivilege	740	powershell.exe
Token: SeShutdownPrivilege	740	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeSystemEnvironmentPrivilege	740	powershell.exe
Token: SeRemoteShutdownPrivilege	740	powershell.exe
Token: SeUndockPrivilege	740	powershell.exe
Token: SeManageVolumePrivilege	740	powershell.exe
Token: 33	740	powershell.exe
Token: 34	740	powershell.exe
Token: 35	740	powershell.exe
Token: 36	740	powershell.exe
Token: SeIncreaseQuotaPrivilege	740	powershell.exe
Token: SeSecurityPrivilege	740	powershell.exe
Token: SeTakeOwnershipPrivilege	740	powershell.exe
Token: SeLoadDriverPrivilege	740	powershell.exe
Token: SeSystemProfilePrivilege	740	powershell.exe
Token: SeSystemtimePrivilege	740	powershell.exe
Token: SeProfSingleProcessPrivilege	740	powershell.exe
Token: SeIncBasePriorityPrivilege	740	powershell.exe
Token: SeCreatePagefilePrivilege	740	powershell.exe
Token: SeBackupPrivilege	740	powershell.exe
Token: SeRestorePrivilege	740	powershell.exe
Token: SeShutdownPrivilege	740	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeSystemEnvironmentPrivilege	740	powershell.exe
Token: SeRemoteShutdownPrivilege	740	powershell.exe
Token: SeUndockPrivilege	740	powershell.exe
Token: SeManageVolumePrivilege	740	powershell.exe
Token: 33	740	powershell.exe
Token: 34	740	powershell.exe
Token: 35	740	powershell.exe
Token: 36	740	powershell.exe
Token: SeIncreaseQuotaPrivilege	740	powershell.exe
Token: SeSecurityPrivilege	740	powershell.exe
Token: SeTakeOwnershipPrivilege	740	powershell.exe
Token: SeLoadDriverPrivilege	740	powershell.exe
Token: SeSystemProfilePrivilege	740	powershell.exe
Token: SeSystemtimePrivilege	740	powershell.exe
Token: SeProfSingleProcessPrivilege	740	powershell.exe
Token: SeIncBasePriorityPrivilege	740	powershell.exe
Token: SeCreatePagefilePrivilege	740	powershell.exe
Token: SeBackupPrivilege	740	powershell.exe
Token: SeRestorePrivilege	740	powershell.exe
Token: SeShutdownPrivilege	740	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeSystemEnvironmentPrivilege	740	powershell.exe
Token: SeRemoteShutdownPrivilege	740	powershell.exe
Token: SeUndockPrivilege	740	powershell.exe
Token: SeManageVolumePrivilege	740	powershell.exe
Token: 33	740	powershell.exe
Token: 34	740	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

powershell.exeWScript.execmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2732 wrote to memory of 1600	2732	powershell.exe	WScript.exe
PID 2732 wrote to memory of 1600	2732	powershell.exe	WScript.exe
PID 1600 wrote to memory of 2648	1600	WScript.exe	cmd.exe
PID 1600 wrote to memory of 2648	1600	WScript.exe	cmd.exe
PID 2648 wrote to memory of 740	2648	cmd.exe	powershell.exe
PID 2648 wrote to memory of 740	2648	cmd.exe	powershell.exe
PID 740 wrote to memory of 64	740	powershell.exe	WScript.exe
PID 740 wrote to memory of 64	740	powershell.exe	WScript.exe
PID 64 wrote to memory of 1408	64	WScript.exe	cmd.exe
PID 64 wrote to memory of 1408	64	WScript.exe	cmd.exe
PID 1408 wrote to memory of 2360	1408	cmd.exe	powershell.exe
PID 1408 wrote to memory of 2360	1408	cmd.exe	powershell.exe
PID 2360 wrote to memory of 2688	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 2688	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 2688	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1436	2360	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Device\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Device\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\Device\install.ps1'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Device\mail.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Device\mail.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\Device\mail.ps1'"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
8⤵
PID:2688

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
8⤵
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Device\install.bat
MD5
6b6770811f4839130552c1fe48abe429

SHA1
95a6dcc6a5e2e4a63c26d559ee673ac0cbba0536

SHA256
c1c92e61404621723b765fa9f00830bbb499e3bf1a99625f3583516dfb86fe9f

SHA512
dcd6ea06f456fa7cbcdb9bdc2e247fa269d66640ebabb95e976d224e80c9b1e1c8ec6577767ce357098e15115fed7c1be38a4c34641efcde8101396076c37931

Download Submit
C:\ProgramData\Device\install.ps1
MD5
3b6eefe192069cff7489b2ae69c07afc

SHA1
31cd81c0db3eb8908771e26e8d45d7f23d201818

SHA256
f60e89cbc97d41c43979ab8481e60d18300acb5fa9b72a41a21d31ac91e9793d

SHA512
73d6575d6bcce7333561319a198216d175238f730721fdaa3e7af2f9a07d81e2340109029037201d63f3fbcb9bd2f9ce305302bf41000031ebf87cdb252fdeac

Download Submit
C:\ProgramData\Device\install.vbs
MD5
dab56582b5e0b82196fc56d5b5dc8036

SHA1
de592fcf648a5be35438c3f4b8508da8b3a95b09

SHA256
2ba0f1158bae09a5c42a523a1776616a3d8fb6ca9848d6b92b6ea9c071307f8e

SHA512
ffc0cabcac6c77a61728bbae5adf8d46407fc97be44301b0f3c86f158b20f79c65b56d46a4c9da9b6ada0771843e6da377e2dc3ae9c77a46ed287994af37c1bc

Download Submit
C:\ProgramData\Device\mail.bat
MD5
77517a39874a342619d6b9762aa22095

SHA1
561476803ef1b9fb997833c358fe67c49b9876b5

SHA256
6daa0b56a9bbf5a8ad954af2c4b447b5ac2750ed643706b469b73b3829a939a5

SHA512
cde749fbd1a9958b0fc4eed3ae15586c7a96da9ce0d7d047b705b4eec12526ab01649c91b607ebaf7964f1ef957bae80f706eff06c71c6bcab9d9c9b19ace24f

Download Submit
C:\ProgramData\Device\mail.ps1
MD5
43f35e68a99efe5854553e9a39ee798a

SHA1
f611bdb79daaff2ee4d45c6509d79cdaf1e59221

SHA256
7e626e1d08ba85447cff2698b42320fc760ffa30ff8da471b0ada40eba840710

SHA512
04a4630c5ba9588bd4dd9e94b8a1168b0eddf659319a5903f82161cb0aecf1ed4f251479f5196fe0d7dc61a5ceb5d05e586c3f1b23b215572904e3ab25898703

Download Submit
C:\ProgramData\Device\mail.vbs
MD5
9ccb5561d91a0790d6d026f6238c21f8

SHA1
4fc58d58533b4031dccd1a0f72f53d9ef19cd31b

SHA256
75e60ff2d313c016135691692a1279dded3699c22963faf47f573201a8db80ba

SHA512
37d32c9e279f9331dde98f2a9e986ab06c4a697b5ac86a10b77ab65e0db3f26e021372a49bd206df9e917863d225b2a6d499c0b8601190ce5a7367a7aae7a0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
f290ff33102bc945b87b6871ce2f7cc4

SHA1
45f1664693c3d7c3b483897e69be3dac5618dd1a

SHA256
3f889f11dfa53455f75f8bad373308ba35e5016ede65b9785626322d131727a6

SHA512
f7f6e6ed9a03a5c31a904438736951698a335d508802cd9b0386e69df41671cdb9650d67d1d59aca30b3a4908d676dfb37bc7bff41f8796bef671152a5d6f57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b3130c177fa303597c8752f66660619a

SHA1
bf72fec22e1cb778fbc39ad32b73a531870d6725

SHA256
605ec89869f51b89e79436466d3f92fe1420a6d542751ffa025b674e6c004139

SHA512
2157c4823a11860f89619983f6cc5099c2a6fd5bf9773f2c7abc844485a699d12b16d5981f018ea2e5be27f47994cd5732b848e35dd67cc6ea26bda9ca35c7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e7a03ca651467162c899e16fc42fe589

SHA1
b1656f83b64688ecf604df13c7b1befdc4f3b3e4

SHA256
fa1f8b7671ea19cdfd1d51c04cb6279f2f0b9c58d5c766beb0e0eb344457d6eb

SHA512
c864202d31f1e0c5edec0df39d0a4ff948087919b733dc27ceb8171b244f8c8ed1443f95bd2317bd9babd474862e43e5df61782fac7bfb4ceb9506f351cf1964

Download Submit
memory/740-221-0x00000236752B6000-0x00000236752B8000-memory.dmp

Filesize
8KB

Download
memory/740-197-0x00000236752B0000-0x00000236752B2000-memory.dmp

Filesize
8KB

Download
memory/740-198-0x00000236752B3000-0x00000236752B5000-memory.dmp

Filesize
8KB

Download
memory/1436-253-0x0000000006800000-0x000000000687E000-memory.dmp

Filesize
504KB

Download
memory/1436-254-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/1436-259-0x0000000006EA0000-0x0000000006EEB000-memory.dmp

Filesize
300KB

Download
memory/1436-258-0x0000000006E40000-0x0000000006EA0000-memory.dmp

Filesize
384KB

Download
memory/1436-257-0x0000000006DA0000-0x0000000006E30000-memory.dmp

Filesize
576KB

Download
memory/1436-256-0x0000000006D90000-0x0000000006D9A000-memory.dmp

Filesize
40KB

Download
memory/1436-245-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1436-255-0x00000000069C0000-0x0000000006D10000-memory.dmp

Filesize
3.3MB

Download
memory/1436-248-0x0000000002930000-0x00000000029F0000-memory.dmp

Filesize
768KB

Download
memory/1436-249-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/1436-250-0x0000000005EC0000-0x00000000063BE000-memory.dmp

Filesize
5.0MB

Download
memory/1436-251-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/1436-252-0x0000000006880000-0x00000000068F6000-memory.dmp

Filesize
472KB

Download
memory/2360-242-0x000001C71C690000-0x000001C71C6AA000-memory.dmp

Filesize
104KB

Download
memory/2360-216-0x000001C71A553000-0x000001C71A555000-memory.dmp

Filesize
8KB

Download
memory/2360-215-0x000001C71A550000-0x000001C71A552000-memory.dmp

Filesize
8KB

Download
memory/2732-127-0x0000024DB3A30000-0x0000024DB3AA6000-memory.dmp

Filesize
472KB

Download
memory/2732-121-0x0000024DB1850000-0x0000024DB1852000-memory.dmp

Filesize
8KB

Download
memory/2732-120-0x0000024D99260000-0x0000024D99282000-memory.dmp

Filesize
136KB

Download
memory/2732-122-0x0000024DB1853000-0x0000024DB1855000-memory.dmp

Filesize
8KB

Download