asyncrat | 8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

General

Target

_.exe
Size

54KB
MD5

372bbbd0c71b8c26c57fa9b95e0cc77d
SHA1

6c88c48264407b845bef8b669a610de1ceb04536
SHA256

8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b
SHA512

9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

Score

10^/10

asyncrat evasion persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1920-54-0x0000000000800000-0x0000000000814000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\.exe	asyncrat
C:\Users\Admin\AppData\Roaming\.exe	asyncrat
behavioral1/memory/1208-63-0x0000000000C70000-0x0000000000C84000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

.exe

pid process

1208 .exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1512 attrib.exe
1752 attrib.exe

pid	process
1208	.exe

pid	process
1512	attrib.exe
1752	attrib.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

_.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\.exe\""	_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

528 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

_.exe

pid process

1920 _.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

_.exe.exe

description pid process

Token: SeDebugPrivilege 1920 _.exe
Token: SeDebugPrivilege 1208 .exe

pid	process
528	timeout.exe

pid	process
1920	_.exe

description	pid	process
Token: SeDebugPrivilege	1920	_.exe
Token: SeDebugPrivilege	1208	.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

_.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 1512	1920	_.exe	attrib.exe
PID 1920 wrote to memory of 1512	1920	_.exe	attrib.exe
PID 1920 wrote to memory of 1512	1920	_.exe	attrib.exe
PID 1920 wrote to memory of 1752	1920	_.exe	attrib.exe
PID 1920 wrote to memory of 1752	1920	_.exe	attrib.exe
PID 1920 wrote to memory of 1752	1920	_.exe	attrib.exe
PID 1920 wrote to memory of 564	1920	_.exe	cmd.exe
PID 1920 wrote to memory of 564	1920	_.exe	cmd.exe
PID 1920 wrote to memory of 564	1920	_.exe	cmd.exe
PID 564 wrote to memory of 528	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 528	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 528	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 1208	564	cmd.exe	.exe
PID 564 wrote to memory of 1208	564	cmd.exe	.exe
PID 564 wrote to memory of 1208	564	cmd.exe	.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1512 attrib.exe
1752 attrib.exe

pid	process
1512	attrib.exe
1752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\_.exe
"C:\Users\Admin\AppData\Local\Temp\_.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming"
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1512

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\.exe"
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1752

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpACF3.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:528

C:\Users\Admin\AppData\Roaming\.exe
"C:\Users\Admin\AppData\Roaming\.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpACF3.tmp.bat
Filesize
144B

MD5
be5e4c8dd18ed25ae0674db64b658658

SHA1
a700ed3f01db4f7d905dae3e957208a25432a083

SHA256
db0ea282cfd141c1a02f41261e0e5a3adaed675f490d4985f21bca0cc21e32ae

SHA512
32745614b79d97a978cec6f4697a1c10cd51e749fff077311699e5d1b277521ec912676a8b560d7a53fe72b805ee1eff23238e7970e07c9c4f5f41eb762373ac

Download Submit
C:\Users\Admin\AppData\Roaming\.exe
Filesize
54KB

MD5
372bbbd0c71b8c26c57fa9b95e0cc77d

SHA1
6c88c48264407b845bef8b669a610de1ceb04536

SHA256
8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

SHA512
9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

Download Submit
C:\Users\Admin\AppData\Roaming\.exe
Filesize
54KB

MD5
372bbbd0c71b8c26c57fa9b95e0cc77d

SHA1
6c88c48264407b845bef8b669a610de1ceb04536

SHA256
8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

SHA512
9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

Download Submit
memory/528-60-0x0000000000000000-mapping.dmp

Download
memory/564-58-0x0000000000000000-mapping.dmp

Download
memory/1208-61-0x0000000000000000-mapping.dmp

Download
memory/1208-63-0x0000000000C70000-0x0000000000C84000-memory.dmp

Filesize
80KB

Download
memory/1512-55-0x0000000000000000-mapping.dmp

Download
memory/1752-56-0x0000000000000000-mapping.dmp

Download
memory/1920-54-0x0000000000800000-0x0000000000814000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads