asyncrat | 9e67211ceec280aedb01a69a61241af34c484be69c160313408309c56a59214a

General

Target

New Purchase Order.exe
Size

287KB
MD5

072c089d4dbca02a4ae028d984f4cc03
SHA1

3bd3b2dd8b8876c64bf528ee503c5ff2a893f897
SHA256

4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c
SHA512

3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

freshg.ddns.net:2256

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
logs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/920-136-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

logs.exelogs.exe

pid process

2624 logs.exe
1552 logs.exe

pid	process
2624	logs.exe
1552	logs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Purchase Order.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	New Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

New Purchase Order.exelogs.exe

description	pid	process	target process
PID 3764 set thread context of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 2624 set thread context of 1552	2624	logs.exe	logs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1744 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3784 timeout.exe

pid	process
1744	schtasks.exe

pid	process
3784	timeout.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

New Purchase Order.exePowershell.exeNew Purchase Order.exelogs.exePowershell.exe

pid	process
3764	New Purchase Order.exe
3764	New Purchase Order.exe
3764	New Purchase Order.exe
3764	New Purchase Order.exe
1740	Powershell.exe
1740	Powershell.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
920	New Purchase Order.exe
2624	logs.exe
2624	logs.exe
2408	Powershell.exe
2408	Powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

New Purchase Order.exePowershell.exeNew Purchase Order.exelogs.exePowershell.exelogs.exe

description	pid	process
Token: SeDebugPrivilege	3764	New Purchase Order.exe
Token: SeDebugPrivilege	1740	Powershell.exe
Token: SeDebugPrivilege	920	New Purchase Order.exe
Token: SeDebugPrivilege	2624	logs.exe
Token: SeDebugPrivilege	2408	Powershell.exe
Token: SeDebugPrivilege	1552	logs.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

New Purchase Order.exeNew Purchase Order.execmd.execmd.exelogs.exe

description	pid	process	target process
PID 3764 wrote to memory of 1492	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 1492	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 1492	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 920	3764	New Purchase Order.exe	New Purchase Order.exe
PID 3764 wrote to memory of 1740	3764	New Purchase Order.exe	Powershell.exe
PID 3764 wrote to memory of 1740	3764	New Purchase Order.exe	Powershell.exe
PID 3764 wrote to memory of 1740	3764	New Purchase Order.exe	Powershell.exe
PID 920 wrote to memory of 2084	920	New Purchase Order.exe	cmd.exe
PID 920 wrote to memory of 2084	920	New Purchase Order.exe	cmd.exe
PID 920 wrote to memory of 2084	920	New Purchase Order.exe	cmd.exe
PID 920 wrote to memory of 4740	920	New Purchase Order.exe	cmd.exe
PID 920 wrote to memory of 4740	920	New Purchase Order.exe	cmd.exe
PID 920 wrote to memory of 4740	920	New Purchase Order.exe	cmd.exe
PID 2084 wrote to memory of 1744	2084	cmd.exe	schtasks.exe
PID 2084 wrote to memory of 1744	2084	cmd.exe	schtasks.exe
PID 2084 wrote to memory of 1744	2084	cmd.exe	schtasks.exe
PID 4740 wrote to memory of 3784	4740	cmd.exe	timeout.exe
PID 4740 wrote to memory of 3784	4740	cmd.exe	timeout.exe
PID 4740 wrote to memory of 3784	4740	cmd.exe	timeout.exe
PID 4740 wrote to memory of 2624	4740	cmd.exe	logs.exe
PID 4740 wrote to memory of 2624	4740	cmd.exe	logs.exe
PID 4740 wrote to memory of 2624	4740	cmd.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 1552	2624	logs.exe	logs.exe
PID 2624 wrote to memory of 2408	2624	logs.exe	Powershell.exe
PID 2624 wrote to memory of 2408	2624	logs.exe	Powershell.exe
PID 2624 wrote to memory of 2408	2624	logs.exe	Powershell.exe

C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
2⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
4⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp85EE.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3784

C:\Users\Admin\AppData\Roaming\logs.exe
"C:\Users\Admin\AppData\Roaming\logs.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Roaming\logs.exe
"C:\Users\Admin\AppData\Roaming\logs.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Purchase Order.exe.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4478290650e7288d5e72aba3a3d10be8

SHA1
326320c3ff501a7fb2595d0bb3e880476bfbefc7

SHA256
fddec0d82b54429f72313b313730adec15a643ca3e58a81a42937136ae6f419a

SHA512
92723c95b70b63953c15039d63ce0b861919f009e9ed984f637f79d0c87dfad0f5088ea066c266e1d001d5eed2bf73a4d04b0152aef6508ff93e6f89b2e6c111

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85EE.tmp.bat
Filesize
148B

MD5
0d0c8139f3cc7664ef2f2eb5fd9d0bdf

SHA1
bf0865d42df49a815fa0b2a2cb268afb8bebffb1

SHA256
522ab23fa285dcf36b0a09194ebaa6dce6f11f1833d3523703a9b312e7c80c87

SHA512
e79583c49811d7d6181351c0993b4a45805ec811820ae7c5034efbf4ed2629c72127330aea333186f485c909f329ec1d2efdef323044e1a1de10373b8b674e33

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
287KB

MD5
072c089d4dbca02a4ae028d984f4cc03

SHA1
3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

SHA256
4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

SHA512
3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
287KB

MD5
072c089d4dbca02a4ae028d984f4cc03

SHA1
3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

SHA256
4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

SHA512
3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
287KB

MD5
072c089d4dbca02a4ae028d984f4cc03

SHA1
3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

SHA256
4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

SHA512
3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

Download Submit
memory/920-151-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download
memory/920-135-0x0000000000000000-mapping.dmp

Download
memory/920-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1492-134-0x0000000000000000-mapping.dmp

Download
memory/1552-164-0x0000000000000000-mapping.dmp

Download
memory/1740-150-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/1740-142-0x0000000004D40000-0x0000000004DA6000-memory.dmp

Filesize
408KB

Download
memory/1740-144-0x00000000060A0000-0x00000000060D2000-memory.dmp

Filesize
200KB

Download
memory/1740-145-0x0000000071130000-0x000000007117C000-memory.dmp

Filesize
304KB

Download
memory/1740-146-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/1740-147-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/1740-148-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/1740-149-0x0000000006E40000-0x0000000006E4A000-memory.dmp

Filesize
40KB

Download
memory/1740-137-0x0000000000000000-mapping.dmp

Download
memory/1740-159-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/1740-138-0x0000000002190000-0x00000000021C6000-memory.dmp

Filesize
216KB

Download
memory/1740-141-0x0000000004BA0000-0x0000000004C06000-memory.dmp

Filesize
408KB

Download
memory/1740-139-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/1740-143-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/1740-156-0x0000000007000000-0x000000000700E000-memory.dmp

Filesize
56KB

Download
memory/1740-140-0x0000000004A00000-0x0000000004A22000-memory.dmp

Filesize
136KB

Download
memory/1740-160-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/1744-155-0x0000000000000000-mapping.dmp

Download
memory/2084-152-0x0000000000000000-mapping.dmp

Download
memory/2408-167-0x0000000000000000-mapping.dmp

Download
memory/2408-170-0x0000000071790000-0x00000000717DC000-memory.dmp

Filesize
304KB

Download
memory/2624-161-0x0000000000000000-mapping.dmp

Download
memory/3764-130-0x00000000001E0000-0x000000000022C000-memory.dmp

Filesize
304KB

Download
memory/3764-133-0x0000000004C80000-0x0000000004C8A000-memory.dmp

Filesize
40KB

Download
memory/3764-132-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/3764-131-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/3784-158-0x0000000000000000-mapping.dmp

Download
memory/4740-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads