asyncrat | 9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

General

Target

935e022330708967113c88e15f8b01c3.exe
Size

298KB
MD5

935e022330708967113c88e15f8b01c3
SHA1

7cf14b3324d826a0fed00f66a282ea7c9b9b14eb
SHA256

9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5
SHA512

362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/776-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/776-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/776-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/776-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/884-90-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

Data.exeData.exe

pid process

1780 Data.exe
884 Data.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1836 cmd.exe

pid	process
1780	Data.exe
884	Data.exe

pid	process
1836	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

935e022330708967113c88e15f8b01c3.exeData.exe

description	pid	process	target process
PID 1592 set thread context of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1780 set thread context of 884	1780	Data.exe	Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1696 schtasks.exe
1384 schtasks.exe
1564 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1964 timeout.exe

pid	process
1696	schtasks.exe
1384	schtasks.exe
1564	schtasks.exe

pid	process
1964	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

935e022330708967113c88e15f8b01c3.exepowershell.exe935e022330708967113c88e15f8b01c3.exepowershell.exe

pid	process
1592	935e022330708967113c88e15f8b01c3.exe
1592	935e022330708967113c88e15f8b01c3.exe
1036	powershell.exe
776	935e022330708967113c88e15f8b01c3.exe
776	935e022330708967113c88e15f8b01c3.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

935e022330708967113c88e15f8b01c3.exepowershell.exe935e022330708967113c88e15f8b01c3.exepowershell.exeData.exe

description	pid	process
Token: SeDebugPrivilege	1592	935e022330708967113c88e15f8b01c3.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	776	935e022330708967113c88e15f8b01c3.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	884	Data.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

935e022330708967113c88e15f8b01c3.exe935e022330708967113c88e15f8b01c3.execmd.execmd.exeData.exe

description	pid	process	target process
PID 1592 wrote to memory of 1036	1592	935e022330708967113c88e15f8b01c3.exe	powershell.exe
PID 1592 wrote to memory of 1036	1592	935e022330708967113c88e15f8b01c3.exe	powershell.exe
PID 1592 wrote to memory of 1036	1592	935e022330708967113c88e15f8b01c3.exe	powershell.exe
PID 1592 wrote to memory of 1036	1592	935e022330708967113c88e15f8b01c3.exe	powershell.exe
PID 1592 wrote to memory of 1696	1592	935e022330708967113c88e15f8b01c3.exe	schtasks.exe
PID 1592 wrote to memory of 1696	1592	935e022330708967113c88e15f8b01c3.exe	schtasks.exe
PID 1592 wrote to memory of 1696	1592	935e022330708967113c88e15f8b01c3.exe	schtasks.exe
PID 1592 wrote to memory of 1696	1592	935e022330708967113c88e15f8b01c3.exe	schtasks.exe
PID 1592 wrote to memory of 1052	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 1052	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 1052	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 1052	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 1592 wrote to memory of 776	1592	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 776 wrote to memory of 1352	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 776 wrote to memory of 1352	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 776 wrote to memory of 1352	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 776 wrote to memory of 1352	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 776 wrote to memory of 1836	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 776 wrote to memory of 1836	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 776 wrote to memory of 1836	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 776 wrote to memory of 1836	776	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 1352 wrote to memory of 1384	1352	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 1384	1352	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 1384	1352	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 1384	1352	cmd.exe	schtasks.exe
PID 1836 wrote to memory of 1964	1836	cmd.exe	timeout.exe
PID 1836 wrote to memory of 1964	1836	cmd.exe	timeout.exe
PID 1836 wrote to memory of 1964	1836	cmd.exe	timeout.exe
PID 1836 wrote to memory of 1964	1836	cmd.exe	timeout.exe
PID 1836 wrote to memory of 1780	1836	cmd.exe	Data.exe
PID 1836 wrote to memory of 1780	1836	cmd.exe	Data.exe
PID 1836 wrote to memory of 1780	1836	cmd.exe	Data.exe
PID 1836 wrote to memory of 1780	1836	cmd.exe	Data.exe
PID 1780 wrote to memory of 1728	1780	Data.exe	powershell.exe
PID 1780 wrote to memory of 1728	1780	Data.exe	powershell.exe
PID 1780 wrote to memory of 1728	1780	Data.exe	powershell.exe
PID 1780 wrote to memory of 1728	1780	Data.exe	powershell.exe
PID 1780 wrote to memory of 1564	1780	Data.exe	schtasks.exe
PID 1780 wrote to memory of 1564	1780	Data.exe	schtasks.exe
PID 1780 wrote to memory of 1564	1780	Data.exe	schtasks.exe
PID 1780 wrote to memory of 1564	1780	Data.exe	schtasks.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe
PID 1780 wrote to memory of 884	1780	Data.exe	Data.exe

C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe
"C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\voWfuSy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\voWfuSy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp"
2⤵
- Creates scheduled task(s)
PID:1696

C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe
"C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe"
2⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe
"C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Data" /tr '"C:\Users\Admin\AppData\Roaming\Data.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Data" /tr '"C:\Users\Admin\AppData\Roaming\Data.exe"'
4⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp981B.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1964

C:\Users\Admin\AppData\Roaming\Data.exe
"C:\Users\Admin\AppData\Roaming\Data.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\voWfuSy.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\voWfuSy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp40D7.tmp"
5⤵
- Creates scheduled task(s)
PID:1564

C:\Users\Admin\AppData\Roaming\Data.exe
"C:\Users\Admin\AppData\Roaming\Data.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp40D7.tmp
MD5
0cd8585adc298e1bb4a5132d8649da3c

SHA1
745e012e3502d267b73f31a6b42b08358af583a2

SHA256
38d6b4b240bc13214018995ef23fb1f890253eab1f162e3ae8baf011490e2310

SHA512
03668e657a8d86ac287d236c6d6ab7ec7c728aa8aea33ca60929a7feb69c96075f84f89e31c91fb1aec94877cd81a751ec89873a64b15062dbeec51a0056a74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp
MD5
0cd8585adc298e1bb4a5132d8649da3c

SHA1
745e012e3502d267b73f31a6b42b08358af583a2

SHA256
38d6b4b240bc13214018995ef23fb1f890253eab1f162e3ae8baf011490e2310

SHA512
03668e657a8d86ac287d236c6d6ab7ec7c728aa8aea33ca60929a7feb69c96075f84f89e31c91fb1aec94877cd81a751ec89873a64b15062dbeec51a0056a74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp981B.tmp.bat
MD5
fe93568fd6216264a18e746a639a7c48

SHA1
732ba9a07c8aeaa25d88dcb466aacf33b7d75525

SHA256
17cbe1034210d75c5e552e337c289d2d328d58e3bc6eea221b284c0dd91e2554

SHA512
ea7b000b6ab5b3cd54275ba4d67e0a811e2f10c5a29aa4f771065626a9f08334c42eef957ff7cc62e009db89eba3474135a8b4e02fd01f2cc4dc72b5d9268739

Download Submit
C:\Users\Admin\AppData\Roaming\Data.exe
MD5
935e022330708967113c88e15f8b01c3

SHA1
7cf14b3324d826a0fed00f66a282ea7c9b9b14eb

SHA256
9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

SHA512
362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Download Submit
C:\Users\Admin\AppData\Roaming\Data.exe
MD5
935e022330708967113c88e15f8b01c3

SHA1
7cf14b3324d826a0fed00f66a282ea7c9b9b14eb

SHA256
9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

SHA512
362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Download Submit
C:\Users\Admin\AppData\Roaming\Data.exe
MD5
935e022330708967113c88e15f8b01c3

SHA1
7cf14b3324d826a0fed00f66a282ea7c9b9b14eb

SHA256
9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

SHA512
362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5124eb877e83b48f2685cd510be8a405

SHA1
ec029af27799916cd53b80bba19a707c2504f3cc

SHA256
272c076cd6816b991ba8a3ee0267da01607b5ece75c98813f68a2c2a536b8a81

SHA512
1e8e381d161a568085e2fded7167a2d7aa8f93b5b66c0689119c2e4a34ea09720728fcc528a955b72ff1cc2611d1f80ec87059d979d89fd2b81aaef9ca368b93

Download Submit
\Users\Admin\AppData\Roaming\Data.exe
MD5
935e022330708967113c88e15f8b01c3

SHA1
7cf14b3324d826a0fed00f66a282ea7c9b9b14eb

SHA256
9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

SHA512
362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Download Submit
memory/776-72-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/776-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/776-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/776-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/776-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/776-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/776-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/884-93-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/884-90-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1036-70-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/1036-69-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/1592-58-0x0000000000770000-0x00000000007A8000-memory.dmp

Filesize
224KB

Download
memory/1592-57-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1592-56-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1592-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1592-54-0x00000000013B0000-0x0000000001400000-memory.dmp

Filesize
320KB

Download
memory/1728-91-0x0000000002530000-0x0000000002573000-memory.dmp

Filesize
268KB

Download
memory/1780-77-0x0000000000CD0000-0x0000000000D20000-memory.dmp

Filesize
320KB

Download
memory/1780-79-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1780-80-0x0000000002280000-0x00000000022B8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads