asyncrat | f60bcc6d90d9415a7c3c8beebdeeed867df6681880b10e925cdbc767840793ea

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a514f5618e75e6976b61a2e2ca4f9291.exe
Size

1.2MB
MD5

a514f5618e75e6976b61a2e2ca4f9291
SHA1

1f6e5ea09e3617c2113bbf0c854fa9c6ef7dbf8e
SHA256

f60bcc6d90d9415a7c3c8beebdeeed867df6681880b10e925cdbc767840793ea
SHA512

20ed5d38666461559a5c95321240568b77c7ef3ea5e9f66d61288d0ea6a9a863d35dd44fff4f758a050240d68febf8b38b9de3cee5ccd09509155cad3b85af00
SSDEEP

24576:JAOcZe4ecyPEy42o1wW6vjOnFveUkjPV99npuezy71oporah3:jW1y4hY6teUkj9fZe6Gs

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

product62.duckdns.org:1905

goodygoody.duckdns.org:1905

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
Windows updater.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/836-76-0x0000000000210000-0x00000000007CF000-memory.dmp	asyncrat
behavioral1/memory/836-77-0x000000000021C78E-mapping.dmp	asyncrat
behavioral1/memory/836-80-0x0000000000210000-0x00000000007CF000-memory.dmp	asyncrat
behavioral1/memory/836-82-0x0000000000210000-0x00000000007CF000-memory.dmp	asyncrat
behavioral1/memory/836-84-0x0000000000210000-0x0000000000222000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

aoqpxwe.pifaoqpxwe.pifRegSvcs.exe

pid process

944 aoqpxwe.pif
568 aoqpxwe.pif
836 RegSvcs.exe

Loads dropped DLL 6 IoCs

Processes:

a514f5618e75e6976b61a2e2ca4f9291.exeWScript.exeaoqpxwe.pif

pid	process
1048	a514f5618e75e6976b61a2e2ca4f9291.exe
1048	a514f5618e75e6976b61a2e2ca4f9291.exe
1048	a514f5618e75e6976b61a2e2ca4f9291.exe
1048	a514f5618e75e6976b61a2e2ca4f9291.exe
2020	WScript.exe
568	aoqpxwe.pif

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aoqpxwe.pifaoqpxwe.pif

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\telling = "C:\\Users\\Admin\\7_43\\aoqpxwe.pif C:\\Users\\Admin\\7_43\\haxtim.apd"	aoqpxwe.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aoqpxwe.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\telling = "C:\\Users\\Admin\\7_43\\aoqpxwe.pif C:\\Users\\Admin\\7_43\\haxtim.apd"	aoqpxwe.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aoqpxwe.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

aoqpxwe.pif

description pid process target process

PID 568 set thread context of 836 568 aoqpxwe.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 568 set thread context of 836	568	aoqpxwe.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aoqpxwe.pifaoqpxwe.pifRegSvcs.exe

pid	process
944	aoqpxwe.pif
944	aoqpxwe.pif
944	aoqpxwe.pif
944	aoqpxwe.pif
944	aoqpxwe.pif
944	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
836	RegSvcs.exe
836	RegSvcs.exe
836	RegSvcs.exe
836	RegSvcs.exe
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif
568	aoqpxwe.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 836 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	836	RegSvcs.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

a514f5618e75e6976b61a2e2ca4f9291.exeaoqpxwe.pifWScript.exeaoqpxwe.pif

description	pid	process	target process
PID 1048 wrote to memory of 944	1048	a514f5618e75e6976b61a2e2ca4f9291.exe	aoqpxwe.pif
PID 1048 wrote to memory of 944	1048	a514f5618e75e6976b61a2e2ca4f9291.exe	aoqpxwe.pif
PID 1048 wrote to memory of 944	1048	a514f5618e75e6976b61a2e2ca4f9291.exe	aoqpxwe.pif
PID 1048 wrote to memory of 944	1048	a514f5618e75e6976b61a2e2ca4f9291.exe	aoqpxwe.pif
PID 1048 wrote to memory of 944	1048	a514f5618e75e6976b61a2e2ca4f9291.exe	aoqpxwe.pif
PID 1048 wrote to memory of 944	1048	a514f5618e75e6976b61a2e2ca4f9291.exe	aoqpxwe.pif
PID 1048 wrote to memory of 944	1048	a514f5618e75e6976b61a2e2ca4f9291.exe	aoqpxwe.pif
PID 944 wrote to memory of 2020	944	aoqpxwe.pif	WScript.exe
PID 944 wrote to memory of 2020	944	aoqpxwe.pif	WScript.exe
PID 944 wrote to memory of 2020	944	aoqpxwe.pif	WScript.exe
PID 944 wrote to memory of 2020	944	aoqpxwe.pif	WScript.exe
PID 2020 wrote to memory of 568	2020	WScript.exe	aoqpxwe.pif
PID 2020 wrote to memory of 568	2020	WScript.exe	aoqpxwe.pif
PID 2020 wrote to memory of 568	2020	WScript.exe	aoqpxwe.pif
PID 2020 wrote to memory of 568	2020	WScript.exe	aoqpxwe.pif
PID 2020 wrote to memory of 568	2020	WScript.exe	aoqpxwe.pif
PID 2020 wrote to memory of 568	2020	WScript.exe	aoqpxwe.pif
PID 2020 wrote to memory of 568	2020	WScript.exe	aoqpxwe.pif
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe
PID 568 wrote to memory of 836	568	aoqpxwe.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\a514f5618e75e6976b61a2e2ca4f9291.exe
"C:\Users\Admin\AppData\Local\Temp\a514f5618e75e6976b61a2e2ca4f9291.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\7_43\aoqpxwe.pif
"C:\Users\Admin\7_43\aoqpxwe.pif" haxtim.apd
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\7_43\run.vbs"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\7_43\aoqpxwe.pif
"C:\Users\Admin\7_43\aoqpxwe.pif" haxtim.apd
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\Users\Admin\7_43\fpqmvvxh.ppv
Filesize
90KB

MD5
8f7afd4090dab508eda419e02b4f73e5

SHA1
e29a41526aa914a37e97ddeff800e670a41a7faf

SHA256
30b0b52b68dca6bc429edc6eed7f4f61e5481e996e88738bd4b22dc8dd8d5bfa

SHA512
00f23b4e52f94125db5146a39b022094e444317f361b1d8112f50d9d2e4d62e3d7082392a875c2a3aca66f4f60b4fdcf9bfbe449c27d2cf1ca182e4574d96c58

Download Submit
C:\Users\Admin\7_43\hajlttccg.icm
Filesize
55KB

MD5
4e4d1b73c27cf35e8e76f97086c546dd

SHA1
05f9912462a30720c1e4549e2177eecfd9ffa046

SHA256
62108ab333bcc3fa356f33398aef4d520f2365ed3639d0f486ae90c2dcfbd078

SHA512
b04143c73dbf722d477cb63bd3b6b1db24ba9e8c97b732f2634942e4b2aa67352a3af92725353dc625b7dabcd7a64b37532d7ee31b1bbdf26e3e7496eaea00a0

Download Submit
C:\Users\Admin\7_43\haxtim.apd
Filesize
216.6MB

MD5
0f8dbda31b556ccd2ed91705fa600d3f

SHA1
9ad66ddd6a14a06829a9f9830229ae294fb1efcc

SHA256
69321265d9e2e8ceafdf4bb4632302558385bab13afe631f430348fe4f035b50

SHA512
90c313ded54500c10eed968d0e2491e6e4b02b7adba508e63c3fc97ee4d55cf22d5cae03f2ead04f1cb9329623e81e71b15b4d51fbe23fbad7895dfa5d94ffec

Download Submit
C:\Users\Admin\7_43\run.vbs
Filesize
110B

MD5
32f85dcd9eae2a173004252bda79b564

SHA1
d114168a37f72bacecb03a31ceca6ded02c9aa72

SHA256
7ed9fcda3675ba010456bca9474f086337c9e47e2caa3aa11117afde946605bb

SHA512
4c5061e3fab40557f618613f923f73d95b3fceb7b5f8e2ee7a8c08d437e6696e5887bbadc5aa27221765ba7c3965d37861c01ada523a0e61cbafcaf404002e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
\Users\Admin\7_43\aoqpxwe.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/568-70-0x0000000000000000-mapping.dmp

Download
memory/836-76-0x0000000000210000-0x00000000007CF000-memory.dmp

Filesize
5.7MB

Download
memory/836-74-0x0000000000210000-0x00000000007CF000-memory.dmp

Filesize
5.7MB

Download
memory/836-77-0x000000000021C78E-mapping.dmp

Download
memory/836-80-0x0000000000210000-0x00000000007CF000-memory.dmp

Filesize
5.7MB

Download
memory/836-82-0x0000000000210000-0x00000000007CF000-memory.dmp

Filesize
5.7MB

Download
memory/836-84-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/944-59-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2020-65-0x0000000000000000-mapping.dmp

Download