asyncrat | 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4

General

Target

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
Size

218KB
MD5

b84e980a2ddc7fe338f990caeb01a132
SHA1

e84a77f956e9cc4d9bee3063ca7ad2d2bd0f859a
SHA256

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4
SHA512

7d80551fff887bee3d6af0e3990bb916a0eb58ed1f6a5c1b2f3b8723429a0d06b8019078e9f3948a3d3ab7bef5accfc440958c896da6eb28ddf4b174a4570274

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmp.exe	asyncrat
behavioral1/memory/904-62-0x0000000000290000-0x00000000002BC000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

904 tmp.exe

pid	process
904	tmp.exe

Drops startup file 1 IoCs

Processes:

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Registry Updater.exe.lnk	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe

Loads dropped DLL 1 IoCs

Processes:

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe

pid process

1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exetmp.exe

pid	process
1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
904	tmp.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe

pid process

1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
Token: 33	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
Token: SeIncBasePriorityPrivilege	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
Token: SeDebugPrivilege	904	tmp.exe
Token: SeDebugPrivilege	904	tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe

description	pid	process	target process
PID 1304 wrote to memory of 1476	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 1476	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 1476	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 1476	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 1716	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 1716	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 1716	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 1716	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	cmd.exe
PID 1304 wrote to memory of 904	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	tmp.exe
PID 1304 wrote to memory of 904	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	tmp.exe
PID 1304 wrote to memory of 904	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	tmp.exe
PID 1304 wrote to memory of 904	1304	813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
"C:\Users\Admin\AppData\Local\Temp\813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Windows Registry Updater\Windows Registry Updater.exe:Zone.Identifier
  2⤵
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "%appdata%\Windows Registry Updater\Windows Registry Updater.exe.jpg" Windows Registry Updater.exe
  2⤵
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
146KB

MD5
b62d18051855ba3768ed2228a9daa267

SHA1
1d7b42775a0eac738f7bc94ec110de8ff7d081ba

SHA256
60dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94

SHA512
00c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
146KB

MD5
b62d18051855ba3768ed2228a9daa267

SHA1
1d7b42775a0eac738f7bc94ec110de8ff7d081ba

SHA256
60dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94

SHA512
00c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
146KB

MD5
b62d18051855ba3768ed2228a9daa267

SHA1
1d7b42775a0eac738f7bc94ec110de8ff7d081ba

SHA256
60dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94

SHA512
00c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52

Download Submit
memory/904-59-0x0000000000000000-mapping.dmp

Download
memory/904-62-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/904-63-0x000000001A770000-0x000000001A772000-memory.dmp

Filesize
8KB

Download
memory/1304-54-0x0000000000C90000-0x0000000000CC4000-memory.dmp

Filesize
208KB

Download
memory/1304-55-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/1476-56-0x0000000000000000-mapping.dmp

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads