asyncrat | 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3

General

Target

87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
Size

46KB
MD5

6aeffcb0f2c4703a35309f019e001822
SHA1

2b3237ca7a252a96997263575fbb96e9d2f24320
SHA256

87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3
SHA512

87af7919630a99b17839f14d558e091985ecc3e67597cd8445e0ab1ae06bf3205d4e148958f6d298f41defbab9139f17868a580aecd6bd1b9061aae8d17d7d3d

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/760-53-0x0000000000030000-0x0000000000042000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\Update.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\Update.exe	asyncrat
behavioral1/memory/1384-58-0x0000000001060000-0x0000000001072000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid process

1384 Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

584 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1272 timeout.exe

pid	process
1384	Update.exe

pid	process
584	schtasks.exe

pid	process
1272	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exeUpdate.exe

pid	process
760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
1384	Update.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
Token: SeDebugPrivilege	1384	Update.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.execmd.exe

description	pid	process	target process
PID 760 wrote to memory of 584	760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe	schtasks.exe
PID 760 wrote to memory of 584	760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe	schtasks.exe
PID 760 wrote to memory of 584	760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe	schtasks.exe
PID 760 wrote to memory of 860	760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe	cmd.exe
PID 760 wrote to memory of 860	760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe	cmd.exe
PID 760 wrote to memory of 860	760	87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe	cmd.exe
PID 860 wrote to memory of 1272	860	cmd.exe	timeout.exe
PID 860 wrote to memory of 1272	860	cmd.exe	timeout.exe
PID 860 wrote to memory of 1272	860	cmd.exe	timeout.exe
PID 860 wrote to memory of 1384	860	cmd.exe	Update.exe
PID 860 wrote to memory of 1384	860	cmd.exe	Update.exe
PID 860 wrote to memory of 1384	860	cmd.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
"C:\Users\Admin\AppData\Local\Temp\87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Update"' /tr "'C:\Users\Admin\AppData\Local\Temp\Update.exe"'
2⤵
- Creates scheduled task(s)
PID:584

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1272

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Update.exe
MD5
31a492018601fce66d9eb89deb6c4d27

SHA1
02faadb47c0d5cd883a9eb3460679fdded1bb508

SHA256
79b6bb9887372b42aef92a30c02adc4c7042d88c71eb812a3f37c9e93b9fc567

SHA512
75652417228ab2f063b49551b57f8559453f57faeb628e826b584f8a0c3ec93912744698d261fbfaaf34595d26f01a52f55e441895f2c119bf0d2c1c473d3456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe
MD5
31a492018601fce66d9eb89deb6c4d27

SHA1
02faadb47c0d5cd883a9eb3460679fdded1bb508

SHA256
79b6bb9887372b42aef92a30c02adc4c7042d88c71eb812a3f37c9e93b9fc567

SHA512
75652417228ab2f063b49551b57f8559453f57faeb628e826b584f8a0c3ec93912744698d261fbfaaf34595d26f01a52f55e441895f2c119bf0d2c1c473d3456

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.bat
MD5
d3acc6668114446ea36bc284e4f72de0

SHA1
9e43023231d0c483d206f9fe146d4f934181377a

SHA256
63aa18bd8ad3d2008ee5fd9296cf82a38388de0519f1d63b6d1511df9e27283e

SHA512
8db3b2f2eb02b3da573329db0f91f5a3a2911251f1087934c5ae58d8607bd6dc7b8b9a4c8a6c00a8a35bdf662a02473dabb7e503314b59003399016ba5dd51ef

Download Submit
memory/760-53-0x0000000000030000-0x0000000000042000-memory.dmp

Filesize
72KB

Download
memory/760-54-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/1384-58-0x0000000001060000-0x0000000001072000-memory.dmp

Filesize
72KB

Download
memory/1384-59-0x000000001B280000-0x000000001B282000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads