Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 11:17
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20220812-en
Errors
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
3f549b99378e1a294ac5ca6925be62a3
-
SHA1
465517830a668415d8bbe2991e02b44ef82793eb
-
SHA256
09a64f0c420f2ef24cdeee7449840749c15c9449ee51e5d2e032958a3bd48a35
-
SHA512
c8919b5b08343414d1c899a97edd45d85d12512323b29c3ab95d3caffb55283b2cfb4d8738148bf1f1e9050f52f05fdf0da89e9612345ac9e28c7d21d8397fe8
-
SSDEEP
768:LuScq5TAYGTqWU8j+zmo2qLzKjGKG6PIyzjbFgX3iCcQjKdSpmBDZbx:LuScq5TA5c2eKYDy3bCXSmrpodbx
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:139
192.168.1.2:6606
192.168.1.2:7707
192.168.1.2:8808
192.168.1.2:139
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1976-54-0x0000000001250000-0x0000000001262000-memory.dmp asyncrat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AsyncClient.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1976 AsyncClient.exe Token: 33 556 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 556 AUDIODG.EXE Token: 33 556 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 556 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\FindPop.bat" "1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Ωî╛╢╬l)╛3╤a¿P1⤵
- Modifies registry class
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵