asyncrat | f0c54049ee4311eb991f87a8eb76c700af19d5ebbfc5410f3bafef574b28d0e5

General

Target

8d8a8672dfff84bc479258d004a884339d9c3b53.exe
Size

69KB
MD5

ec7ea366e3d42308a1b8aee82b799dfe
SHA1

8d8a8672dfff84bc479258d004a884339d9c3b53
SHA256

f0c54049ee4311eb991f87a8eb76c700af19d5ebbfc5410f3bafef574b28d0e5
SHA512

59bbd5acb73e5c5b37890b8fcdf3b8a239129117b0bb5422f77d10b4194a23a9cb8a93e94cc4574c3aa44f242e763f4daf92282ed258f96fdd7dedcfd785e6f6
SSDEEP

1536:rwEjos8LrepSGToFwu/MRkSx4Y7uP6Wjh0IA/VD9LCwOC6/CKR09OnE3D:TjosyrepvToFH/Ly4xiKh0tNpMC6Kcnk

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.4H

C2

0.tcp.ngrok.io:4444

Mutex

dchckeuexyjmudh

Attributes

delay
0
install
true
install_file
explorer23i.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1068-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1068-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1068-65-0x000000000040CECE-mapping.dmp	asyncrat
behavioral1/memory/1068-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1068-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1068-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

explorer23i.exe

pid process

1824 explorer23i.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

924 cmd.exe

pid	process
1824	explorer23i.exe

pid	process
924	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\cgdqyvwx pesmyfc = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\HWMonitor.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8d8a8672dfff84bc479258d004a884339d9c3b53.exe

description pid process target process

PID 936 set thread context of 1068 936 8d8a8672dfff84bc479258d004a884339d9c3b53.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1456 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1652 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

8d8a8672dfff84bc479258d004a884339d9c3b53.exepowershell.exeRegAsm.exe

pid process

936 8d8a8672dfff84bc479258d004a884339d9c3b53.exe
1128 powershell.exe
1068 RegAsm.exe

description	pid	process	target process
PID 936 set thread context of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe

pid	process
1456	schtasks.exe

pid	process
1652	timeout.exe

pid	process
936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe
1128	powershell.exe
1068	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8d8a8672dfff84bc479258d004a884339d9c3b53.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1068	RegAsm.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

8d8a8672dfff84bc479258d004a884339d9c3b53.exeRegAsm.execmd.exe

description	pid	process	target process
PID 936 wrote to memory of 1128	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	powershell.exe
PID 936 wrote to memory of 1128	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	powershell.exe
PID 936 wrote to memory of 1128	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	powershell.exe
PID 936 wrote to memory of 1128	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	powershell.exe
PID 936 wrote to memory of 784	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 784	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 784	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 784	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 784	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 784	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 784	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 936 wrote to memory of 1068	936	8d8a8672dfff84bc479258d004a884339d9c3b53.exe	RegAsm.exe
PID 1068 wrote to memory of 1456	1068	RegAsm.exe	schtasks.exe
PID 1068 wrote to memory of 1456	1068	RegAsm.exe	schtasks.exe
PID 1068 wrote to memory of 1456	1068	RegAsm.exe	schtasks.exe
PID 1068 wrote to memory of 1456	1068	RegAsm.exe	schtasks.exe
PID 1068 wrote to memory of 924	1068	RegAsm.exe	cmd.exe
PID 1068 wrote to memory of 924	1068	RegAsm.exe	cmd.exe
PID 1068 wrote to memory of 924	1068	RegAsm.exe	cmd.exe
PID 1068 wrote to memory of 924	1068	RegAsm.exe	cmd.exe
PID 924 wrote to memory of 1652	924	cmd.exe	timeout.exe
PID 924 wrote to memory of 1652	924	cmd.exe	timeout.exe
PID 924 wrote to memory of 1652	924	cmd.exe	timeout.exe
PID 924 wrote to memory of 1652	924	cmd.exe	timeout.exe
PID 924 wrote to memory of 1824	924	cmd.exe	explorer23i.exe
PID 924 wrote to memory of 1824	924	cmd.exe	explorer23i.exe
PID 924 wrote to memory of 1824	924	cmd.exe	explorer23i.exe
PID 924 wrote to memory of 1824	924	cmd.exe	explorer23i.exe

C:\Users\Admin\AppData\Local\Temp\8d8a8672dfff84bc479258d004a884339d9c3b53.exe
"C:\Users\Admin\AppData\Local\Temp\8d8a8672dfff84bc479258d004a884339d9c3b53.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'cgdqyvwx pesmyfc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'cgdqyvwx pesmyfc' -Value '"C:\Users\Admin\AppData\Roaming\vlc\HWMonitor.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'explorer23i"' /tr "'C:\Users\Admin\AppData\Roaming\explorer23i.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9EB0.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1652
  - - C:\Users\Admin\AppData\Roaming\explorer23i.exe
      "C:\Users\Admin\AppData\Roaming\explorer23i.exe"
      4⤵
      Executes dropped EXE
      PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9EB0.tmp.bat

Filesize
155B

MD5
25cf7cefd9c4dd1edbf2d78d3644287d

SHA1
507a622dc02efa61d7dbfabafb42911d80089177

SHA256
a4b44c73b3a73c0a8d315247ae1f56b7844054307bd0dc105221765eeb42334f

SHA512
5d32c4ad3490858815b3449e2f994a220c0bfb818cc5fd2fb57f2719409c022a2f8898753e173b16dea975bfddb25ed23eddd9d6d510cd62a1f856aeaee501e4

Download Submit
C:\Users\Admin\AppData\Roaming\explorer23i.exe

Filesize
46.9MB

MD5
810c9ee8aa96e098bf7573d6fead639c

SHA1
877824315d34adadb0b4f9f1d40a022f5b8d3956

SHA256
d960e299aa4dfd37380834d742f22fff5910af411e815503135d54023ceeefd4

SHA512
a636caa5f80f591c34f13c3653f362181ecb8da5c8f83ca22683512ec7a5ed120526db7f9bedb8248aef58c68538988d99bf176c845506e15b22b83afc108f90

Download Submit
C:\Users\Admin\AppData\Roaming\explorer23i.exe

Filesize
46.9MB

MD5
810c9ee8aa96e098bf7573d6fead639c

SHA1
877824315d34adadb0b4f9f1d40a022f5b8d3956

SHA256
d960e299aa4dfd37380834d742f22fff5910af411e815503135d54023ceeefd4

SHA512
a636caa5f80f591c34f13c3653f362181ecb8da5c8f83ca22683512ec7a5ed120526db7f9bedb8248aef58c68538988d99bf176c845506e15b22b83afc108f90

Download Submit
\Users\Admin\AppData\Roaming\explorer23i.exe

Filesize
46.9MB

MD5
810c9ee8aa96e098bf7573d6fead639c

SHA1
877824315d34adadb0b4f9f1d40a022f5b8d3956

SHA256
d960e299aa4dfd37380834d742f22fff5910af411e815503135d54023ceeefd4

SHA512
a636caa5f80f591c34f13c3653f362181ecb8da5c8f83ca22683512ec7a5ed120526db7f9bedb8248aef58c68538988d99bf176c845506e15b22b83afc108f90

Download Submit
memory/924-75-0x0000000000000000-mapping.dmp

Download
memory/936-55-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/936-56-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/936-54-0x0000000001310000-0x0000000001328000-memory.dmp

Filesize
96KB

Download
memory/1068-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1068-65-0x000000000040CECE-mapping.dmp

Download
memory/1128-73-0x0000000071EF0000-0x000000007249B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-72-0x0000000071EF0000-0x000000007249B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-57-0x0000000000000000-mapping.dmp

Download
memory/1456-74-0x0000000000000000-mapping.dmp

Download
memory/1652-77-0x0000000000000000-mapping.dmp

Download
memory/1824-80-0x0000000000000000-mapping.dmp

Download
memory/1824-82-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads