asyncrat | 0a0445acf374b31a19805593309ff48a3b0220b2a03e9d153d8788975bb9172e

General

Target

PO_9878xls.exe
Size

300KB
MD5

4b779a236a8eae2bb4ee28cd99e7150c
SHA1

5ef6353ed24b0350212ffee3e01a872ff7bedf10
SHA256

0a0445acf374b31a19805593309ff48a3b0220b2a03e9d153d8788975bb9172e
SHA512

2fac5c2ae97f042d1ba974e18ab86ab2dbb62634722aab3185024924e5bdd8b06a28a691510dfbb8454809f7f9c647ef6a8f14909068221875f4dc01a89c435b

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1072-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1072-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1072-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1392-84-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

svvhst.exesvvhst.exe

pid process

928 svvhst.exe
1392 svvhst.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1340 cmd.exe

pid	process
928	svvhst.exe
1392	svvhst.exe

pid	process
1340	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PO_9878xls.exesvvhst.exe

description	pid	process	target process
PID 1660 set thread context of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 928 set thread context of 1392	928	svvhst.exe	svvhst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1516 schtasks.exe
1004 schtasks.exe
1356 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1956 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

PO_9878xls.exePO_9878xls.exe

pid process

1660 PO_9878xls.exe
1072 PO_9878xls.exe
1072 PO_9878xls.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO_9878xls.exePO_9878xls.exesvvhst.exe

description pid process

Token: SeDebugPrivilege 1660 PO_9878xls.exe
Token: SeDebugPrivilege 1072 PO_9878xls.exe
Token: SeDebugPrivilege 1392 svvhst.exe

pid	process
1516	schtasks.exe
1004	schtasks.exe
1356	schtasks.exe

pid	process
1956	timeout.exe

pid	process
1660	PO_9878xls.exe
1072	PO_9878xls.exe
1072	PO_9878xls.exe

description	pid	process
Token: SeDebugPrivilege	1660	PO_9878xls.exe
Token: SeDebugPrivilege	1072	PO_9878xls.exe
Token: SeDebugPrivilege	1392	svvhst.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

PO_9878xls.exePO_9878xls.execmd.execmd.exesvvhst.exe

description	pid	process	target process
PID 1660 wrote to memory of 1516	1660	PO_9878xls.exe	schtasks.exe
PID 1660 wrote to memory of 1516	1660	PO_9878xls.exe	schtasks.exe
PID 1660 wrote to memory of 1516	1660	PO_9878xls.exe	schtasks.exe
PID 1660 wrote to memory of 1516	1660	PO_9878xls.exe	schtasks.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1660 wrote to memory of 1072	1660	PO_9878xls.exe	PO_9878xls.exe
PID 1072 wrote to memory of 1288	1072	PO_9878xls.exe	cmd.exe
PID 1072 wrote to memory of 1288	1072	PO_9878xls.exe	cmd.exe
PID 1072 wrote to memory of 1288	1072	PO_9878xls.exe	cmd.exe
PID 1072 wrote to memory of 1288	1072	PO_9878xls.exe	cmd.exe
PID 1288 wrote to memory of 1004	1288	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 1004	1288	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 1004	1288	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 1004	1288	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 1340	1072	PO_9878xls.exe	cmd.exe
PID 1072 wrote to memory of 1340	1072	PO_9878xls.exe	cmd.exe
PID 1072 wrote to memory of 1340	1072	PO_9878xls.exe	cmd.exe
PID 1072 wrote to memory of 1340	1072	PO_9878xls.exe	cmd.exe
PID 1340 wrote to memory of 1956	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1956	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1956	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1956	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 928	1340	cmd.exe	svvhst.exe
PID 1340 wrote to memory of 928	1340	cmd.exe	svvhst.exe
PID 1340 wrote to memory of 928	1340	cmd.exe	svvhst.exe
PID 1340 wrote to memory of 928	1340	cmd.exe	svvhst.exe
PID 928 wrote to memory of 1356	928	svvhst.exe	schtasks.exe
PID 928 wrote to memory of 1356	928	svvhst.exe	schtasks.exe
PID 928 wrote to memory of 1356	928	svvhst.exe	schtasks.exe
PID 928 wrote to memory of 1356	928	svvhst.exe	schtasks.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe
PID 928 wrote to memory of 1392	928	svvhst.exe	svvhst.exe

C:\Users\Admin\AppData\Local\Temp\PO_9878xls.exe
"C:\Users\Admin\AppData\Local\Temp\PO_9878xls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PSkCOJJISk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DEA.tmp"
2⤵
- Creates scheduled task(s)
PID:1516

C:\Users\Admin\AppData\Local\Temp\PO_9878xls.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svvhst" /tr '"C:\Users\Admin\AppData\Roaming\svvhst.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svvhst" /tr '"C:\Users\Admin\AppData\Roaming\svvhst.exe"'
4⤵
- Creates scheduled task(s)
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7ACB.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1956

C:\Users\Admin\AppData\Roaming\svvhst.exe
"C:\Users\Admin\AppData\Roaming\svvhst.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PSkCOJJISk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF029.tmp"
5⤵
- Creates scheduled task(s)
PID:1356

C:\Users\Admin\AppData\Roaming\svvhst.exe
"{path}"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3DEA.tmp
MD5
39ed630102909888d53659c5401ac516

SHA1
b4dbff82bfedd26fc904d775f4514960491c90f1

SHA256
940466fe0872f629d1fb04f35c857d576dab9cac8d7753d2ea9cbddccc0b57a6

SHA512
862f1be14b280112ce4bafc7e3fafb2bac61e1ee787cd90a4e5c367243d4d2722d263a191e9d384c9f179cff88b4c053ddc2d825a65c1e96d986edf5bd51ac6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7ACB.tmp.bat
MD5
863029f760e44f41eba1cb0713e63e13

SHA1
122ab51ba455361c20824b7cd3b5f82f7731963a

SHA256
477bbec8b154152b0a01d3df0add36f02ebc9dc6bc4f59227a3b04c141f7f805

SHA512
0a34c8a9817d5d7027ee6c2af8434a8e4fa0007d768af1aedc20bad35012688f8b9abbab5a349803463782354cce2835e9485e9cd4a67f8fa6c2e586ce2b11e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF029.tmp
MD5
39ed630102909888d53659c5401ac516

SHA1
b4dbff82bfedd26fc904d775f4514960491c90f1

SHA256
940466fe0872f629d1fb04f35c857d576dab9cac8d7753d2ea9cbddccc0b57a6

SHA512
862f1be14b280112ce4bafc7e3fafb2bac61e1ee787cd90a4e5c367243d4d2722d263a191e9d384c9f179cff88b4c053ddc2d825a65c1e96d986edf5bd51ac6d

Download Submit
C:\Users\Admin\AppData\Roaming\svvhst.exe
MD5
4b779a236a8eae2bb4ee28cd99e7150c

SHA1
5ef6353ed24b0350212ffee3e01a872ff7bedf10

SHA256
0a0445acf374b31a19805593309ff48a3b0220b2a03e9d153d8788975bb9172e

SHA512
2fac5c2ae97f042d1ba974e18ab86ab2dbb62634722aab3185024924e5bdd8b06a28a691510dfbb8454809f7f9c647ef6a8f14909068221875f4dc01a89c435b

Download Submit
C:\Users\Admin\AppData\Roaming\svvhst.exe
MD5
4b779a236a8eae2bb4ee28cd99e7150c

SHA1
5ef6353ed24b0350212ffee3e01a872ff7bedf10

SHA256
0a0445acf374b31a19805593309ff48a3b0220b2a03e9d153d8788975bb9172e

SHA512
2fac5c2ae97f042d1ba974e18ab86ab2dbb62634722aab3185024924e5bdd8b06a28a691510dfbb8454809f7f9c647ef6a8f14909068221875f4dc01a89c435b

Download Submit
C:\Users\Admin\AppData\Roaming\svvhst.exe
MD5
4b779a236a8eae2bb4ee28cd99e7150c

SHA1
5ef6353ed24b0350212ffee3e01a872ff7bedf10

SHA256
0a0445acf374b31a19805593309ff48a3b0220b2a03e9d153d8788975bb9172e

SHA512
2fac5c2ae97f042d1ba974e18ab86ab2dbb62634722aab3185024924e5bdd8b06a28a691510dfbb8454809f7f9c647ef6a8f14909068221875f4dc01a89c435b

Download Submit
\Users\Admin\AppData\Roaming\svvhst.exe
MD5
4b779a236a8eae2bb4ee28cd99e7150c

SHA1
5ef6353ed24b0350212ffee3e01a872ff7bedf10

SHA256
0a0445acf374b31a19805593309ff48a3b0220b2a03e9d153d8788975bb9172e

SHA512
2fac5c2ae97f042d1ba974e18ab86ab2dbb62634722aab3185024924e5bdd8b06a28a691510dfbb8454809f7f9c647ef6a8f14909068221875f4dc01a89c435b

Download Submit
memory/928-74-0x0000000000E90000-0x0000000000EE2000-memory.dmp

Filesize
328KB

Download
memory/928-76-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1072-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1072-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1072-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1072-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1072-69-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/1072-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1072-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1392-86-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1392-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1660-59-0x0000000002050000-0x00000000020B8000-memory.dmp

Filesize
416KB

Download
memory/1660-55-0x0000000000B80000-0x0000000000BD2000-memory.dmp

Filesize
328KB

Download
memory/1660-57-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1660-56-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1660-58-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1660-60-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads