asyncrat | 501317a60d63bac59b9cc6994cd4d03207a929ab689939d062635656b4ed8231

Analysis

max time kernel
177s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2022 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BcJRFxiQTFDdmBX.exe
Size

48KB
MD5

a671a69d4e3f7425bf163eae052250ff
SHA1

80c47eae696348b607f5f54ab3101c10c64192ce
SHA256

447f95e2299fbab8e30669f1fd5c71b2e69499e25adae3373093c0317f53fdc5
SHA512

527a88921d628ffbe1cfbe21f204e3dbf3cea026129c6a9e3d713a82b9c9e6f75155f5da4bfe2f14845d6542cdbe129fa72214b028c4fdc397456d33f789a85b
SSDEEP

768:mbRJZBILLWQ9+jiwtelDSN+iV08Ybygecb+zqBEmyIvEgK/JbZVc6KN:mbRq9wtKDs4zb1pu9xInkJbZVclN

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral10/memory/2856-132-0x00000000006B0000-0x00000000006C2000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Windows Service .exe	asyncrat
C:\Users\Admin\AppData\Roaming\Windows Service .exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Windows Service .exe

pid process

1256 Windows Service .exe

pid	process
1256	Windows Service .exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BcJRFxiQTFDdmBX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BcJRFxiQTFDdmBX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4852 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4340 timeout.exe

pid	process
4852	schtasks.exe

pid	process
4340	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

BcJRFxiQTFDdmBX.exe

pid	process
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe
2856	BcJRFxiQTFDdmBX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BcJRFxiQTFDdmBX.exeWindows Service .exe

description pid process

Token: SeDebugPrivilege 2856 BcJRFxiQTFDdmBX.exe
Token: SeDebugPrivilege 1256 Windows Service .exe

description	pid	process
Token: SeDebugPrivilege	2856	BcJRFxiQTFDdmBX.exe
Token: SeDebugPrivilege	1256	Windows Service .exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

BcJRFxiQTFDdmBX.execmd.execmd.exe

description	pid	process	target process
PID 2856 wrote to memory of 3552	2856	BcJRFxiQTFDdmBX.exe	cmd.exe
PID 2856 wrote to memory of 3552	2856	BcJRFxiQTFDdmBX.exe	cmd.exe
PID 2856 wrote to memory of 4904	2856	BcJRFxiQTFDdmBX.exe	cmd.exe
PID 2856 wrote to memory of 4904	2856	BcJRFxiQTFDdmBX.exe	cmd.exe
PID 3552 wrote to memory of 4852	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 4852	3552	cmd.exe	schtasks.exe
PID 4904 wrote to memory of 4340	4904	cmd.exe	timeout.exe
PID 4904 wrote to memory of 4340	4904	cmd.exe	timeout.exe
PID 4904 wrote to memory of 1256	4904	cmd.exe	Windows Service .exe
PID 4904 wrote to memory of 1256	4904	cmd.exe	Windows Service .exe

C:\Users\Admin\AppData\Local\Temp\BcJRFxiQTFDdmBX.exe
"C:\Users\Admin\AppData\Local\Temp\BcJRFxiQTFDdmBX.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Service " /tr '"C:\Users\Admin\AppData\Roaming\Windows Service .exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Service " /tr '"C:\Users\Admin\AppData\Roaming\Windows Service .exe"'
3⤵
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp75CC.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4340

C:\Users\Admin\AppData\Roaming\Windows Service .exe
"C:\Users\Admin\AppData\Roaming\Windows Service .exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp75CC.tmp.bat
Filesize
160B

MD5
3a865c5450718d8c5d1f755f18470ed2

SHA1
87448774a0259d06cbdcc26a6356dcc1a9df048c

SHA256
708ed4d17c3fb8e5dbf99508cd7ab1598ec4daaa6bf21db0a816c41386a1f3e6

SHA512
ee2cb5c7c50c4ab5d3502b33d003f7c88510dde6d55e5b690efdc7ff51db162777675cf72724f36f7f6d6830d3c1873a73bf7706230f40ee9b7b4babda4e6f7b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Service .exe
Filesize
48KB

MD5
a671a69d4e3f7425bf163eae052250ff

SHA1
80c47eae696348b607f5f54ab3101c10c64192ce

SHA256
447f95e2299fbab8e30669f1fd5c71b2e69499e25adae3373093c0317f53fdc5

SHA512
527a88921d628ffbe1cfbe21f204e3dbf3cea026129c6a9e3d713a82b9c9e6f75155f5da4bfe2f14845d6542cdbe129fa72214b028c4fdc397456d33f789a85b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Service .exe
Filesize
48KB

MD5
a671a69d4e3f7425bf163eae052250ff

SHA1
80c47eae696348b607f5f54ab3101c10c64192ce

SHA256
447f95e2299fbab8e30669f1fd5c71b2e69499e25adae3373093c0317f53fdc5

SHA512
527a88921d628ffbe1cfbe21f204e3dbf3cea026129c6a9e3d713a82b9c9e6f75155f5da4bfe2f14845d6542cdbe129fa72214b028c4fdc397456d33f789a85b

Download Submit
memory/1256-140-0x0000000000000000-mapping.dmp

Download
memory/1256-144-0x00007FFF77E20000-0x00007FFF788E1000-memory.dmp

Filesize
10.8MB

Download
memory/1256-143-0x00007FFF77E20000-0x00007FFF788E1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-139-0x00007FFF77E20000-0x00007FFF788E1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-132-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/2856-133-0x00007FFF77E20000-0x00007FFF788E1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-134-0x0000000000000000-mapping.dmp

Download
memory/4340-138-0x0000000000000000-mapping.dmp

Download
memory/4852-136-0x0000000000000000-mapping.dmp

Download
memory/4904-135-0x0000000000000000-mapping.dmp

Download