asyncrat | 9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc

Analysis

max time kernel
159s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2022 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4278af4c129db3ea1c48d890304abd1.exe
Size

616KB
MD5

d4278af4c129db3ea1c48d890304abd1
SHA1

b6ca93a2c12c164a73339020070662b618723744
SHA256

9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc
SHA512

807c9a5242a831f2f70e8a949a11c58cfe79b9438a7c2d5484ce899cef6f2f8574f7b03a8d896b5e6473669738266cb04b1b0f9c5e63d85c4c2a00e132b9dcc2

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

37.0.14.198:6161

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/916-141-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

.exe.exe

pid process

5100 .exe
4576 .exe

pid	process
5100	.exe
4576	.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4278af4c129db3ea1c48d890304abd1.exed4278af4c129db3ea1c48d890304abd1.exe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	d4278af4c129db3ea1c48d890304abd1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	d4278af4c129db3ea1c48d890304abd1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d4278af4c129db3ea1c48d890304abd1.exe.exe

description	pid	process	target process
PID 4740 set thread context of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 5100 set thread context of 4576	5100	.exe	.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1340 schtasks.exe
4848 schtasks.exe
3536 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2800 timeout.exe

pid	process
1340	schtasks.exe
4848	schtasks.exe
3536	schtasks.exe

pid	process
2800	timeout.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exed4278af4c129db3ea1c48d890304abd1.exepowershell.exe

pid	process
824	powershell.exe
824	powershell.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
916	d4278af4c129db3ea1c48d890304abd1.exe
4740	powershell.exe
4740	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exed4278af4c129db3ea1c48d890304abd1.exepowershell.exe.exe

description	pid	process
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	916	d4278af4c129db3ea1c48d890304abd1.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4576	.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

d4278af4c129db3ea1c48d890304abd1.exed4278af4c129db3ea1c48d890304abd1.execmd.execmd.exe.exe

description	pid	process	target process
PID 4740 wrote to memory of 824	4740	d4278af4c129db3ea1c48d890304abd1.exe	powershell.exe
PID 4740 wrote to memory of 824	4740	d4278af4c129db3ea1c48d890304abd1.exe	powershell.exe
PID 4740 wrote to memory of 824	4740	d4278af4c129db3ea1c48d890304abd1.exe	powershell.exe
PID 4740 wrote to memory of 3536	4740	d4278af4c129db3ea1c48d890304abd1.exe	schtasks.exe
PID 4740 wrote to memory of 3536	4740	d4278af4c129db3ea1c48d890304abd1.exe	schtasks.exe
PID 4740 wrote to memory of 3536	4740	d4278af4c129db3ea1c48d890304abd1.exe	schtasks.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 4740 wrote to memory of 916	4740	d4278af4c129db3ea1c48d890304abd1.exe	d4278af4c129db3ea1c48d890304abd1.exe
PID 916 wrote to memory of 4276	916	d4278af4c129db3ea1c48d890304abd1.exe	cmd.exe
PID 916 wrote to memory of 4276	916	d4278af4c129db3ea1c48d890304abd1.exe	cmd.exe
PID 916 wrote to memory of 4276	916	d4278af4c129db3ea1c48d890304abd1.exe	cmd.exe
PID 916 wrote to memory of 4512	916	d4278af4c129db3ea1c48d890304abd1.exe	cmd.exe
PID 916 wrote to memory of 4512	916	d4278af4c129db3ea1c48d890304abd1.exe	cmd.exe
PID 916 wrote to memory of 4512	916	d4278af4c129db3ea1c48d890304abd1.exe	cmd.exe
PID 4276 wrote to memory of 1340	4276	cmd.exe	schtasks.exe
PID 4276 wrote to memory of 1340	4276	cmd.exe	schtasks.exe
PID 4276 wrote to memory of 1340	4276	cmd.exe	schtasks.exe
PID 4512 wrote to memory of 2800	4512	cmd.exe	timeout.exe
PID 4512 wrote to memory of 2800	4512	cmd.exe	timeout.exe
PID 4512 wrote to memory of 2800	4512	cmd.exe	timeout.exe
PID 4512 wrote to memory of 5100	4512	cmd.exe	.exe
PID 4512 wrote to memory of 5100	4512	cmd.exe	.exe
PID 4512 wrote to memory of 5100	4512	cmd.exe	.exe
PID 5100 wrote to memory of 4740	5100	.exe	powershell.exe
PID 5100 wrote to memory of 4740	5100	.exe	powershell.exe
PID 5100 wrote to memory of 4740	5100	.exe	powershell.exe
PID 5100 wrote to memory of 4848	5100	.exe	schtasks.exe
PID 5100 wrote to memory of 4848	5100	.exe	schtasks.exe
PID 5100 wrote to memory of 4848	5100	.exe	schtasks.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe
PID 5100 wrote to memory of 4576	5100	.exe	.exe

C:\Users\Admin\AppData\Local\Temp\d4278af4c129db3ea1c48d890304abd1.exe
"C:\Users\Admin\AppData\Local\Temp\d4278af4c129db3ea1c48d890304abd1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgolgcKGNozdg.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA49C.tmp"
2⤵
- Creates scheduled task(s)
PID:3536

C:\Users\Admin\AppData\Local\Temp\d4278af4c129db3ea1c48d890304abd1.exe
"C:\Users\Admin\AppData\Local\Temp\d4278af4c129db3ea1c48d890304abd1.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\Admin\AppData\Roaming\.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\Admin\AppData\Roaming\.exe"'
4⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2800

C:\Users\Admin\AppData\Roaming\.exe
"C:\Users\Admin\AppData\Roaming\.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgolgcKGNozdg.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1D6.tmp"
5⤵
- Creates scheduled task(s)
PID:4848

C:\Users\Admin\AppData\Roaming\.exe
"C:\Users\Admin\AppData\Roaming\.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d4278af4c129db3ea1c48d890304abd1.exe.log
Filesize
1KB

MD5
8323fae9fbc8238dfd3efdc87ac3534c

SHA1
d88623828a38d6b528963a32902c9f336a08942e

SHA256
1ccd81d339d51696fa8569e0ea179873452e8aa087b14a397538cda74996fe00

SHA512
9a50d78360761b85c2b49fd2959744c004a74600ffef5756391fec0f02c8aafc6061a028518808693297f03e9fc65067e3d4b29d876ed70eb8e2ad9094d246c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
51KB

MD5
5b11fd821061ff07a306800cf42a45f8

SHA1
ba659be366bb3827061eee6a21df3c00f1265371

SHA256
5802fe2f0af337fe409e3f9e9dc034dcf79289de9f95dce161132820b1f6de4f

SHA512
98b0349261ed2400c11880b0f4054bab14bc5ed704be0c81d18dfbf3b0e0bddd7d93ae45fb5d35a5c20a2f13a6780402d45b5fc6367ed5f654fd1dcb1a3c9cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
676f6a5f7f2f8dbde923c3deee9f2e1c

SHA1
5579498cb608d8a7ff807e54d86779647b7a545e

SHA256
4e9b2ce8cc8bcae06045dc1bf9228d97e28f8ad97f6969b165c3838282c27013

SHA512
2087a4c4b4718ec4c532b59d205adb7095898ff214e80e255148f6442d5cc561b42e9577769a4271ef3fd36228527ccf2f3516c30fa7a361cf678bd0d5f0f96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA49C.tmp
Filesize
1KB

MD5
cc5d7ac0e3681730e695e09a50508e09

SHA1
e70ef0ea23f7f28073cec9455c4c3bb652f4fc16

SHA256
67eaf89cd550b863edf4117a0be8504306454466fe70624b29e42415685a914e

SHA512
9ede905daa964670eeecc456d596db430c9668612b7fb93fc6e76ae413ca0c8f376c240a2a951764dbd9d5cb06125b98eed04563b0facf06c3f94c2c29049ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1D6.tmp
Filesize
1KB

MD5
cc5d7ac0e3681730e695e09a50508e09

SHA1
e70ef0ea23f7f28073cec9455c4c3bb652f4fc16

SHA256
67eaf89cd550b863edf4117a0be8504306454466fe70624b29e42415685a914e

SHA512
9ede905daa964670eeecc456d596db430c9668612b7fb93fc6e76ae413ca0c8f376c240a2a951764dbd9d5cb06125b98eed04563b0facf06c3f94c2c29049ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.bat
Filesize
144B

MD5
eb5257f0d04fecaad1251cc9c225d165

SHA1
e9bd05cdfeaa037dc3d874616b0a5b1f75c70392

SHA256
d3cab86399870656941d31c0da535b650091e53fa39e6ccc640685eb3afa2632

SHA512
d88d38fad2ce95f9317644765444b29d0398bcde0b7e7016c9814aa6a685cebe6602abe5e970eda58df07110178160844dc260e56bba3547fabc8c06325743ac

Download Submit
C:\Users\Admin\AppData\Roaming\.exe
Filesize
616KB

MD5
d4278af4c129db3ea1c48d890304abd1

SHA1
b6ca93a2c12c164a73339020070662b618723744

SHA256
9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc

SHA512
807c9a5242a831f2f70e8a949a11c58cfe79b9438a7c2d5484ce899cef6f2f8574f7b03a8d896b5e6473669738266cb04b1b0f9c5e63d85c4c2a00e132b9dcc2

Download Submit
C:\Users\Admin\AppData\Roaming\.exe
Filesize
616KB

MD5
d4278af4c129db3ea1c48d890304abd1

SHA1
b6ca93a2c12c164a73339020070662b618723744

SHA256
9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc

SHA512
807c9a5242a831f2f70e8a949a11c58cfe79b9438a7c2d5484ce899cef6f2f8574f7b03a8d896b5e6473669738266cb04b1b0f9c5e63d85c4c2a00e132b9dcc2

Download Submit
C:\Users\Admin\AppData\Roaming\.exe
Filesize
616KB

MD5
d4278af4c129db3ea1c48d890304abd1

SHA1
b6ca93a2c12c164a73339020070662b618723744

SHA256
9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc

SHA512
807c9a5242a831f2f70e8a949a11c58cfe79b9438a7c2d5484ce899cef6f2f8574f7b03a8d896b5e6473669738266cb04b1b0f9c5e63d85c4c2a00e132b9dcc2

Download Submit
memory/824-163-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/824-149-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/824-138-0x0000000004920000-0x0000000004956000-memory.dmp

Filesize
216KB

Download
memory/824-143-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/824-144-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

Filesize
136KB

Download
memory/824-145-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/824-146-0x0000000005F30000-0x0000000005F4E000-memory.dmp

Filesize
120KB

Download
memory/824-147-0x0000000006510000-0x0000000006542000-memory.dmp

Filesize
200KB

Download
memory/824-148-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

Filesize
304KB

Download
memory/824-136-0x0000000000000000-mapping.dmp

Download
memory/824-150-0x0000000007880000-0x0000000007EFA000-memory.dmp

Filesize
6.5MB

Download
memory/824-151-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/824-152-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/824-164-0x00000000074C0000-0x00000000074C8000-memory.dmp

Filesize
32KB

Download
memory/824-162-0x0000000007480000-0x000000000748E000-memory.dmp

Filesize
56KB

Download
memory/824-155-0x00000000074D0000-0x0000000007566000-memory.dmp

Filesize
600KB

Download
memory/916-140-0x0000000000000000-mapping.dmp

Download
memory/916-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1340-157-0x0000000000000000-mapping.dmp

Download
memory/2800-158-0x0000000000000000-mapping.dmp

Download
memory/3536-137-0x0000000000000000-mapping.dmp

Download
memory/4276-153-0x0000000000000000-mapping.dmp

Download
memory/4512-154-0x0000000000000000-mapping.dmp

Download
memory/4576-169-0x0000000000000000-mapping.dmp

Download
memory/4740-165-0x0000000000000000-mapping.dmp

Download
memory/4740-130-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4740-135-0x0000000000F70000-0x0000000000FD6000-memory.dmp

Filesize
408KB

Download
memory/4740-134-0x0000000000E60000-0x0000000000EFC000-memory.dmp

Filesize
624KB

Download
memory/4740-133-0x00000000029F0000-0x00000000029FA000-memory.dmp

Filesize
40KB

Download
memory/4740-132-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/4740-131-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/4740-174-0x00000000730C0000-0x000000007310C000-memory.dmp

Filesize
304KB

Download
memory/4848-166-0x0000000000000000-mapping.dmp

Download
memory/5100-159-0x0000000000000000-mapping.dmp

Download