asyncrat | 9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

Analysis

max time kernel
151s
max time network
140s
platform
windows10_x64
resource
win10-en-20211208
submitted
26-01-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935e022330708967113c88e15f8b01c3.exe
Size

298KB
MD5

935e022330708967113c88e15f8b01c3
SHA1

7cf14b3324d826a0fed00f66a282ea7c9b9b14eb
SHA256

9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5
SHA512

362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3212-128-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

Data.exeData.exe

pid process

5108 Data.exe
3836 Data.exe

pid	process
5108	Data.exe
3836	Data.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

935e022330708967113c88e15f8b01c3.exeData.exe

description	pid	process	target process
PID 3436 set thread context of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 5108 set thread context of 3836	5108	Data.exe	Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4852 schtasks.exe
4540 schtasks.exe
3256 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4976 timeout.exe

pid	process
4852	schtasks.exe
4540	schtasks.exe
3256	schtasks.exe

pid	process
4976	timeout.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exe935e022330708967113c88e15f8b01c3.exepowershell.exe

pid	process
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
3212	935e022330708967113c88e15f8b01c3.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe935e022330708967113c88e15f8b01c3.exepowershell.exeData.exe

description	pid	process
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	3212	935e022330708967113c88e15f8b01c3.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3836	Data.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

935e022330708967113c88e15f8b01c3.exe935e022330708967113c88e15f8b01c3.execmd.execmd.exeData.exe

description	pid	process	target process
PID 3436 wrote to memory of 4324	3436	935e022330708967113c88e15f8b01c3.exe	powershell.exe
PID 3436 wrote to memory of 4324	3436	935e022330708967113c88e15f8b01c3.exe	powershell.exe
PID 3436 wrote to memory of 4324	3436	935e022330708967113c88e15f8b01c3.exe	powershell.exe
PID 3436 wrote to memory of 3256	3436	935e022330708967113c88e15f8b01c3.exe	schtasks.exe
PID 3436 wrote to memory of 3256	3436	935e022330708967113c88e15f8b01c3.exe	schtasks.exe
PID 3436 wrote to memory of 3256	3436	935e022330708967113c88e15f8b01c3.exe	schtasks.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3436 wrote to memory of 3212	3436	935e022330708967113c88e15f8b01c3.exe	935e022330708967113c88e15f8b01c3.exe
PID 3212 wrote to memory of 3040	3212	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 3212 wrote to memory of 3040	3212	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 3212 wrote to memory of 3040	3212	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 3212 wrote to memory of 3928	3212	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 3212 wrote to memory of 3928	3212	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 3212 wrote to memory of 3928	3212	935e022330708967113c88e15f8b01c3.exe	cmd.exe
PID 3040 wrote to memory of 4852	3040	cmd.exe	schtasks.exe
PID 3040 wrote to memory of 4852	3040	cmd.exe	schtasks.exe
PID 3040 wrote to memory of 4852	3040	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 4976	3928	cmd.exe	timeout.exe
PID 3928 wrote to memory of 4976	3928	cmd.exe	timeout.exe
PID 3928 wrote to memory of 4976	3928	cmd.exe	timeout.exe
PID 3928 wrote to memory of 5108	3928	cmd.exe	Data.exe
PID 3928 wrote to memory of 5108	3928	cmd.exe	Data.exe
PID 3928 wrote to memory of 5108	3928	cmd.exe	Data.exe
PID 5108 wrote to memory of 2016	5108	Data.exe	powershell.exe
PID 5108 wrote to memory of 2016	5108	Data.exe	powershell.exe
PID 5108 wrote to memory of 2016	5108	Data.exe	powershell.exe
PID 5108 wrote to memory of 4540	5108	Data.exe	schtasks.exe
PID 5108 wrote to memory of 4540	5108	Data.exe	schtasks.exe
PID 5108 wrote to memory of 4540	5108	Data.exe	schtasks.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe
PID 5108 wrote to memory of 3836	5108	Data.exe	Data.exe

C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe
"C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\voWfuSy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\voWfuSy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4717.tmp"
2⤵
- Creates scheduled task(s)
PID:3256

C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe
"C:\Users\Admin\AppData\Local\Temp\935e022330708967113c88e15f8b01c3.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Data" /tr '"C:\Users\Admin\AppData\Roaming\Data.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Data" /tr '"C:\Users\Admin\AppData\Roaming\Data.exe"'
4⤵
- Creates scheduled task(s)
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5B5B.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4976

C:\Users\Admin\AppData\Roaming\Data.exe
"C:\Users\Admin\AppData\Roaming\Data.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\voWfuSy.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\voWfuSy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C4.tmp"
5⤵
- Creates scheduled task(s)
PID:4540

C:\Users\Admin\AppData\Roaming\Data.exe
"C:\Users\Admin\AppData\Roaming\Data.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\935e022330708967113c88e15f8b01c3.exe.log
MD5
b1a97e7c826ffc38c8d2c00eb49b8a01

SHA1
2d094c94fbcecd045370b1470fe77d10128ccac4

SHA256
c7c76581c6e385d9b79c074273d3335fe2d0bd3880e2dee2b64dd2f9f3106944

SHA512
ed4e770718235213d5c54ff8966b87cdb37fc392ae5abe1eb8d8dd6a8832cf8a28a33dc10d3c582cf480853c41a6680401e6f2acab473548f5cb30a8e1b8965f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
39d1de42efe5eea48937a86b5339d1dc

SHA1
3194637894183b9b7845895461b1e46df92557fa

SHA256
e25966d0b9791e7e64db6a1a0b87cba04d0c378607e23e8aa7a0668a357074bb

SHA512
c12146c95f44465224f7102c10598a5e247c91e72fb0f96bdc1e90848dad513ac0c089c1795f25fc7a257e74f30c07d8bec2b0706f83f9a2895f24fbd27907a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4717.tmp
MD5
19b1ee69e7ac810f6d8cdb1d74cf81dd

SHA1
75cfa7aa808953a13d970c5c9eca83d08e3e1931

SHA256
4d9acdc88e7bb06f992f99707fda84ea5f4d18b3d6480b16c661cfe221a36290

SHA512
33bc02b6c187639ef3bf8567453feae54488c0a78035bdcd18586788ee68d449acea3b55aff9953d0490af795c5b9675273bcf0b63e9180dd6fbd04e467631e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B5B.tmp.bat
MD5
6c330f77cca2c6842c2fc68577e5d607

SHA1
e9d954e9010ccb200193c61d1dae7845eb49da0f

SHA256
e98072b848cf28f1070af592f6d2190375bc493aced5c6ee2f528360504e8bdf

SHA512
3bcbe0ba3ca46e7055295f6172e8ffbc4f45fb20624c51799d9f90698022658b5caa4aa14f8f19e25293c7ffccdc098cfd498d42830b1f3c6b4da1490eb1990c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C4.tmp
MD5
19b1ee69e7ac810f6d8cdb1d74cf81dd

SHA1
75cfa7aa808953a13d970c5c9eca83d08e3e1931

SHA256
4d9acdc88e7bb06f992f99707fda84ea5f4d18b3d6480b16c661cfe221a36290

SHA512
33bc02b6c187639ef3bf8567453feae54488c0a78035bdcd18586788ee68d449acea3b55aff9953d0490af795c5b9675273bcf0b63e9180dd6fbd04e467631e3

Download Submit
C:\Users\Admin\AppData\Roaming\Data.exe
MD5
935e022330708967113c88e15f8b01c3

SHA1
7cf14b3324d826a0fed00f66a282ea7c9b9b14eb

SHA256
9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

SHA512
362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Download Submit
C:\Users\Admin\AppData\Roaming\Data.exe
MD5
935e022330708967113c88e15f8b01c3

SHA1
7cf14b3324d826a0fed00f66a282ea7c9b9b14eb

SHA256
9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

SHA512
362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Download Submit
C:\Users\Admin\AppData\Roaming\Data.exe
MD5
935e022330708967113c88e15f8b01c3

SHA1
7cf14b3324d826a0fed00f66a282ea7c9b9b14eb

SHA256
9b3f9a9609fd1a9bb141ebe88098b9b40a9dd031f88e2f8ba9745a6969e03ed5

SHA512
362939a7d6ce2f7ddc71a5af3d9e5b8d9505a8f12578258d358351057b008d63a4d22e8d53308632874293b66973292cc73868aa6f13bf995b40753c2d9c70ca

Download Submit
memory/2016-381-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2016-382-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

Filesize
4KB

Download
memory/2016-391-0x000000007F310000-0x000000007F311000-memory.dmp

Filesize
4KB

Download
memory/2016-518-0x0000000004AD3000-0x0000000004AD4000-memory.dmp

Filesize
4KB

Download
memory/3212-144-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3212-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3436-116-0x0000000005E00000-0x00000000062FE000-memory.dmp

Filesize
5.0MB

Download
memory/3436-117-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/3436-118-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/3436-119-0x0000000005B30000-0x0000000005BCC000-memory.dmp

Filesize
624KB

Download
memory/3436-120-0x0000000005900000-0x0000000005DFE000-memory.dmp

Filesize
5.0MB

Download
memory/3436-121-0x0000000005A70000-0x0000000005A7E000-memory.dmp

Filesize
56KB

Download
memory/3436-115-0x0000000000F60000-0x0000000000FB0000-memory.dmp

Filesize
320KB

Download
memory/3436-122-0x0000000008E70000-0x0000000008EBB000-memory.dmp

Filesize
300KB

Download
memory/3436-123-0x0000000008F00000-0x0000000008F38000-memory.dmp

Filesize
224KB

Download
memory/3836-606-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4324-164-0x0000000004CB0000-0x0000000004D00000-memory.dmp

Filesize
320KB

Download
memory/4324-359-0x0000000007430000-0x0000000007438000-memory.dmp

Filesize
32KB

Download
memory/4324-162-0x000000007F480000-0x000000007F481000-memory.dmp

Filesize
4KB

Download
memory/4324-131-0x0000000004CB0000-0x0000000004D00000-memory.dmp

Filesize
320KB

Download
memory/4324-130-0x0000000004CB0000-0x0000000004D00000-memory.dmp

Filesize
320KB

Download
memory/4324-129-0x0000000007790000-0x0000000007DB8000-memory.dmp

Filesize
6.2MB

Download
memory/4324-154-0x0000000009AD0000-0x0000000009B75000-memory.dmp

Filesize
660KB

Download
memory/4324-127-0x0000000007120000-0x0000000007156000-memory.dmp

Filesize
216KB

Download
memory/4324-354-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/4324-155-0x0000000009CA0000-0x0000000009D34000-memory.dmp

Filesize
592KB

Download
memory/4324-132-0x0000000007E70000-0x0000000007E92000-memory.dmp

Filesize
136KB

Download
memory/4324-149-0x0000000009960000-0x000000000997E000-memory.dmp

Filesize
120KB

Download
memory/4324-148-0x00000000099A0000-0x00000000099D3000-memory.dmp

Filesize
204KB

Download
memory/4324-138-0x00000000088B0000-0x0000000008926000-memory.dmp

Filesize
472KB

Download
memory/4324-137-0x0000000008610000-0x000000000865B000-memory.dmp

Filesize
300KB

Download
memory/4324-136-0x0000000007FE0000-0x0000000007FFC000-memory.dmp

Filesize
112KB

Download
memory/4324-135-0x0000000008240000-0x0000000008590000-memory.dmp

Filesize
3.3MB

Download
memory/4324-134-0x00000000081D0000-0x0000000008236000-memory.dmp

Filesize
408KB

Download
memory/4324-133-0x0000000007F10000-0x0000000007F76000-memory.dmp

Filesize
408KB

Download
memory/5108-368-0x0000000004C30000-0x000000000512E000-memory.dmp

Filesize
5.0MB

Download