asyncrat | 73dd28b5d2f8c9bf0cd6a3b14b660429ea13146457d1307fb9d8b2eccdb1c589

Reason

Machine shutdown

General

Target

Quotation Request#3000060021.exe
Size

527KB
MD5

21609ba452113bcb4e1054138c533576
SHA1

e7e59d79f9f0c911b82219808cdd07b0c6ed1d20
SHA256

73dd28b5d2f8c9bf0cd6a3b14b660429ea13146457d1307fb9d8b2eccdb1c589
SHA512

c42aba886f32344df73024c6e824431d0e467e63eb324107cd50f2e9eec4965dfd13ca061e26d1c5f7fd2359643a293f1def287180db87668a4da9a4446df703

Score

10^/10

asyncrat default rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

62.197.136.146:5672

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1716-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1716-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1716-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1716-66-0x000000000040C70E-mapping.dmp	asyncrat
behavioral1/memory/1716-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1716-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1716-72-0x0000000001F90000-0x0000000001FB4000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation Request#3000060021.exe

description pid process target process

PID 1644 set thread context of 1716 1644 Quotation Request#3000060021.exe Quotation Request#3000060021.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1644 set thread context of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Quotation Request#3000060021.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1716	Quotation Request#3000060021.exe
Token: SeShutdownPrivilege	736	shutdown.exe
Token: SeRemoteShutdownPrivilege	736	shutdown.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Quotation Request#3000060021.exeQuotation Request#3000060021.execmd.exe

description	pid	process	target process
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1644 wrote to memory of 1716	1644	Quotation Request#3000060021.exe	Quotation Request#3000060021.exe
PID 1716 wrote to memory of 840	1716	Quotation Request#3000060021.exe	cmd.exe
PID 1716 wrote to memory of 840	1716	Quotation Request#3000060021.exe	cmd.exe
PID 1716 wrote to memory of 840	1716	Quotation Request#3000060021.exe	cmd.exe
PID 1716 wrote to memory of 840	1716	Quotation Request#3000060021.exe	cmd.exe
PID 840 wrote to memory of 736	840	cmd.exe	shutdown.exe
PID 840 wrote to memory of 736	840	cmd.exe	shutdown.exe
PID 840 wrote to memory of 736	840	cmd.exe	shutdown.exe
PID 840 wrote to memory of 736	840	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\Quotation Request#3000060021.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation Request#3000060021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\Quotation Request#3000060021.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation Request#3000060021.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
3⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\shutdown.exe
Shutdown /s /f /t 00
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-75-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/736-74-0x0000000000000000-mapping.dmp

Download
memory/840-73-0x0000000000000000-mapping.dmp

Download
memory/1644-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/1644-56-0x0000000001DA0000-0x0000000001DB6000-memory.dmp

Filesize
88KB

Download
memory/1644-57-0x0000000001DF0000-0x0000000001DFA000-memory.dmp

Filesize
40KB

Download
memory/1644-58-0x0000000004260000-0x00000000042AA000-memory.dmp

Filesize
296KB

Download
memory/1644-59-0x0000000001F00000-0x0000000001F12000-memory.dmp

Filesize
72KB

Download
memory/1644-54-0x0000000000070000-0x00000000000FA000-memory.dmp

Filesize
552KB

Download
memory/1716-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-66-0x000000000040C70E-mapping.dmp

Download
memory/1716-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-72-0x0000000001F90000-0x0000000001FB4000-memory.dmp

Filesize
144KB

Download
memory/1716-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads