asyncrat | af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8

General

Target

cc1b6971441d2ec84c14247d4f014912.exe
Size

32KB
MD5

cc1b6971441d2ec84c14247d4f014912
SHA1

a786dcb3bffe527a6954d3c242138d34707e21d3
SHA256

af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8
SHA512

a91cf7ebd024a5431ee8e2202740809fb6dace5d4965be107b6f83bbed34f21bde21d45a79e08401791cd204db8d9c23b00d791f8bc5714a6e33022f8aada77b

Score

10^/10

asyncrat 1 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

212.193.30.54:8755

Mutex

gyQ12!.,=FD7trew

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1652-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1652-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1652-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1652-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cc1b6971441d2ec84c14247d4f014912.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zdrqamx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Txdlljii\\Zdrqamx.exe\""	cc1b6971441d2ec84c14247d4f014912.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc1b6971441d2ec84c14247d4f014912.exe

description pid process target process

PID 1592 set thread context of 1652 1592 cc1b6971441d2ec84c14247d4f014912.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1000 PING.EXE
1960 PING.EXE
1404 PING.EXE
1552 PING.EXE
1184 PING.EXE
1724 PING.EXE
1628 PING.EXE
1608 PING.EXE
1500 PING.EXE
1376 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cc1b6971441d2ec84c14247d4f014912.exe

pid process

1592 cc1b6971441d2ec84c14247d4f014912.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cc1b6971441d2ec84c14247d4f014912.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 1592 cc1b6971441d2ec84c14247d4f014912.exe
Token: SeDebugPrivilege 1652 MSBuild.exe

description	pid	process	target process
PID 1592 set thread context of 1652	1592	cc1b6971441d2ec84c14247d4f014912.exe	MSBuild.exe

pid	process
1000	PING.EXE
1960	PING.EXE
1404	PING.EXE
1552	PING.EXE
1184	PING.EXE
1724	PING.EXE
1628	PING.EXE
1608	PING.EXE
1500	PING.EXE
1376	PING.EXE

pid	process
1592	cc1b6971441d2ec84c14247d4f014912.exe

description	pid	process
Token: SeDebugPrivilege	1592	cc1b6971441d2ec84c14247d4f014912.exe
Token: SeDebugPrivilege	1652	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc1b6971441d2ec84c14247d4f014912.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 332	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 332	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 332	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 332	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 332 wrote to memory of 1376	332	cmd.exe	PING.EXE
PID 332 wrote to memory of 1376	332	cmd.exe	PING.EXE
PID 332 wrote to memory of 1376	332	cmd.exe	PING.EXE
PID 332 wrote to memory of 1376	332	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1792	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1792	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1792	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1792	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1792 wrote to memory of 1552	1792	cmd.exe	PING.EXE
PID 1792 wrote to memory of 1552	1792	cmd.exe	PING.EXE
PID 1792 wrote to memory of 1552	1792	cmd.exe	PING.EXE
PID 1792 wrote to memory of 1552	1792	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1116	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1116	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1116	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1116	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1116 wrote to memory of 1184	1116	cmd.exe	PING.EXE
PID 1116 wrote to memory of 1184	1116	cmd.exe	PING.EXE
PID 1116 wrote to memory of 1184	1116	cmd.exe	PING.EXE
PID 1116 wrote to memory of 1184	1116	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1884	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1884	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1884	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1884	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1884 wrote to memory of 1404	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 1404	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 1404	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 1404	1884	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1672	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1672	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1672	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1672	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1672 wrote to memory of 1000	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1000	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1000	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1000	1672	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1976	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1976	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1976	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 1976	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1976 wrote to memory of 1724	1976	cmd.exe	PING.EXE
PID 1976 wrote to memory of 1724	1976	cmd.exe	PING.EXE
PID 1976 wrote to memory of 1724	1976	cmd.exe	PING.EXE
PID 1976 wrote to memory of 1724	1976	cmd.exe	PING.EXE
PID 1592 wrote to memory of 480	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 480	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 480	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 480	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 480 wrote to memory of 1960	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 1960	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 1960	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 1960	480	cmd.exe	PING.EXE
PID 1592 wrote to memory of 536	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 536	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 536	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 1592 wrote to memory of 536	1592	cc1b6971441d2ec84c14247d4f014912.exe	cmd.exe
PID 536 wrote to memory of 1628	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1628	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1628	536	cmd.exe	PING.EXE
PID 536 wrote to memory of 1628	536	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\cc1b6971441d2ec84c14247d4f014912.exe
"C:\Users\Admin\AppData\Local\Temp\cc1b6971441d2ec84c14247d4f014912.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
PID:1256

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
2⤵
PID:784

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
3⤵
- Runs ping.exe
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1592-54-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1592-55-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1592-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1592-57-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/1592-58-0x00000000003F0000-0x000000000048E000-memory.dmp

Filesize
632KB

Download
memory/1592-59-0x0000000005420000-0x000000000546C000-memory.dmp

Filesize
304KB

Download
memory/1652-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-66-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1652-68-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads