asyncrat | d71cdeb52c0e74f3b4c96e4b5dbe70af00814283985036d62b43de0950d77b22

General

Target

FedEx_Label_202218201.exe
Size

28KB
MD5

9fa348df801f0d2cebb02378b3546f6e
SHA1

03a5c5344ad4c92366cb086ad78bb7f4fe4f7a17
SHA256

d71cdeb52c0e74f3b4c96e4b5dbe70af00814283985036d62b43de0950d77b22
SHA512

b48e919554920a4f441401b8f453a09eebf10fced670e1e35d01433a2edb990815894250cab3773104ca05064183be3779d4f6acac3040f5955a05a760476ae7
SSDEEP

384:1iAAKDVj/yf2BGuegE3YCoLY40E6vDOT5kYgH5Oj8A5PPPPPPPPPPPPPPPQPPPPV:0AAGo2eg+YCc/6m5k75RPhNf2

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FedEx_Label_202218201.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hzezmdk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Pnitzny\\Hzezmdk.exe\""	FedEx_Label_202218201.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

FedEx_Label_202218201.exe

description pid process target process

PID 1456 set thread context of 1964 1456 FedEx_Label_202218201.exe FedEx_Label_202218201.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1320 powershell.exe
1060 powershell.exe

description	pid	process	target process
PID 1456 set thread context of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe

pid	process
1320	powershell.exe
1060	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

FedEx_Label_202218201.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1456	FedEx_Label_202218201.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

FedEx_Label_202218201.exe

description	pid	process	target process
PID 1456 wrote to memory of 1320	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1320	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1320	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1320	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1060	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1060	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1060	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1060	1456	FedEx_Label_202218201.exe	powershell.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe
PID 1456 wrote to memory of 1964	1456	FedEx_Label_202218201.exe	FedEx_Label_202218201.exe

C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe
C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe
2⤵
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
02aa78ff2c96bbb7a62296c60d930520

SHA1
4bcff4555caba288db86d304c61371ecaa21ead8

SHA256
e325250e9d7be443beb180340f30e452af82353ad0e210b19080975e9cd7c4d8

SHA512
50b389a3834655ec4648d38d51164aa36259118e82a3744d189855c2874f873cb3a49eb92a2764dc4cb07365ae0bd8fecae4b52cdc96cdfce90b5122de271ef5

Download Submit
memory/1060-63-0x0000000000000000-mapping.dmp

Download
memory/1060-67-0x000000006EC40000-0x000000006F1EB000-memory.dmp

Filesize
5.7MB

Download
memory/1060-66-0x000000006EC40000-0x000000006F1EB000-memory.dmp

Filesize
5.7MB

Download
memory/1320-60-0x000000006EC70000-0x000000006F21B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-58-0x0000000000000000-mapping.dmp

Download
memory/1320-61-0x000000006EC70000-0x000000006F21B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-62-0x000000006EC70000-0x000000006F21B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-55-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1456-57-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/1456-56-0x0000000005610000-0x00000000056C4000-memory.dmp

Filesize
720KB

Download
memory/1456-54-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/1964-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-74-0x00000000004290CE-mapping.dmp

Download
memory/1964-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads