asyncrat | 20126f0e6a271df71f9ab0838c03bb6554b106773f66fb9c28eb7bf4e685399d

General

Target

f8111a92842e5e377c21f38d3f355911.exe
Size

303KB
MD5

f8111a92842e5e377c21f38d3f355911
SHA1

6a5d2c528430b1ff8813fc01c522b5a4b6cf4494
SHA256

20126f0e6a271df71f9ab0838c03bb6554b106773f66fb9c28eb7bf4e685399d
SHA512

aed02a61ffc1567d12ac05a8d5b32c7c8635059dd2713e2b8cd5e0a434c46618ae9f7cc528e09c862e8d5228471e6a67533c19545d05683fd642cdb237d8ec15

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1036-130-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

f8111a92842e5e377c21f38d3f355911.exe

description pid process target process

PID 3520 set thread context of 1036 3520 f8111a92842e5e377c21f38d3f355911.exe f8111a92842e5e377c21f38d3f355911.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1824 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1808 powershell.exe
1808 powershell.exe
1808 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1808 powershell.exe

description	pid	process	target process
PID 3520 set thread context of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe

pid	process
1824	schtasks.exe

pid	process
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1808	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f8111a92842e5e377c21f38d3f355911.exe

description	pid	process	target process
PID 3520 wrote to memory of 1808	3520	f8111a92842e5e377c21f38d3f355911.exe	powershell.exe
PID 3520 wrote to memory of 1808	3520	f8111a92842e5e377c21f38d3f355911.exe	powershell.exe
PID 3520 wrote to memory of 1808	3520	f8111a92842e5e377c21f38d3f355911.exe	powershell.exe
PID 3520 wrote to memory of 1824	3520	f8111a92842e5e377c21f38d3f355911.exe	schtasks.exe
PID 3520 wrote to memory of 1824	3520	f8111a92842e5e377c21f38d3f355911.exe	schtasks.exe
PID 3520 wrote to memory of 1824	3520	f8111a92842e5e377c21f38d3f355911.exe	schtasks.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe
PID 3520 wrote to memory of 1036	3520	f8111a92842e5e377c21f38d3f355911.exe	f8111a92842e5e377c21f38d3f355911.exe

C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe
"C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DmmczBXpJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DmmczBXpJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59F3.tmp"
2⤵
- Creates scheduled task(s)
PID:1824

C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe
"C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe"
2⤵
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f8111a92842e5e377c21f38d3f355911.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp59F3.tmp
MD5
88bb8116f55cb4fdb74707f156ac0b2e

SHA1
54aab613575465cc0ce187a7d98b042e989388d3

SHA256
86e6e000d615a111441c1add993cc6fcc0518277c332b8f184a44e5520f57f44

SHA512
239e9003d9cb26c2c07c1b95ba67f903633f0dbd881a7b178325ab12b4d000ccc378731c362aafd07d59578aaa82d9b51203783d9adf674583c0f94e32d0fd8c

Download Submit
memory/1036-139-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/1036-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-140-0x0000000007980000-0x000000000799C000-memory.dmp

Filesize
112KB

Download
memory/1808-151-0x0000000009320000-0x0000000009353000-memory.dmp

Filesize
204KB

Download
memory/1808-358-0x0000000008310000-0x0000000008318000-memory.dmp

Filesize
32KB

Download
memory/1808-353-0x0000000009540000-0x000000000955A000-memory.dmp

Filesize
104KB

Download
memory/1808-160-0x0000000002EF3000-0x0000000002EF4000-memory.dmp

Filesize
4KB

Download
memory/1808-129-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/1808-159-0x00000000095E0000-0x0000000009674000-memory.dmp

Filesize
592KB

Download
memory/1808-158-0x000000007EB70000-0x000000007EB71000-memory.dmp

Filesize
4KB

Download
memory/1808-132-0x0000000007210000-0x0000000007838000-memory.dmp

Filesize
6.2MB

Download
memory/1808-133-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1808-134-0x0000000002EF2000-0x0000000002EF3000-memory.dmp

Filesize
4KB

Download
memory/1808-135-0x0000000007030000-0x0000000007052000-memory.dmp

Filesize
136KB

Download
memory/1808-136-0x00000000078B0000-0x0000000007916000-memory.dmp

Filesize
408KB

Download
memory/1808-137-0x0000000007B00000-0x0000000007B66000-memory.dmp

Filesize
408KB

Download
memory/1808-138-0x0000000007B70000-0x0000000007EC0000-memory.dmp

Filesize
3.3MB

Download
memory/1808-157-0x0000000009450000-0x00000000094F5000-memory.dmp

Filesize
660KB

Download
memory/1808-141-0x00000000079A0000-0x00000000079EB000-memory.dmp

Filesize
300KB

Download
memory/1808-152-0x0000000009300000-0x000000000931E000-memory.dmp

Filesize
120KB

Download
memory/1808-142-0x00000000081E0000-0x0000000008256000-memory.dmp

Filesize
472KB

Download
memory/3520-123-0x00000000055B0000-0x00000000055C6000-memory.dmp

Filesize
88KB

Download
memory/3520-118-0x0000000000AF0000-0x0000000000B42000-memory.dmp

Filesize
328KB

Download
memory/3520-119-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/3520-120-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/3520-121-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/3520-122-0x0000000005470000-0x000000000596E000-memory.dmp

Filesize
5.0MB

Download
memory/3520-125-0x0000000007B30000-0x0000000007B68000-memory.dmp

Filesize
224KB

Download
memory/3520-124-0x0000000007A20000-0x0000000007ABC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads