asyncrat | 0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d

General

Target

0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
Size

375KB
MD5

fe6df2be242b8f051d1031ac17f97788
SHA1

836da0ac005c03940cc3401d83528326a2148a56
SHA256

0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d
SHA512

bb930da5561f33315f480b2c0347e49de208d4fcf178f4dcb94e4b24a347ef6ec1dededc5ff4cd0867f35d6e36f7bfb5f8560756dabc9f09c611863058993ae0
SSDEEP

6144:GKmHRfq8+gw9tiUhrMQqAnlxBqOJ2+/GdAkV10Uv5ERZX:GKmxfqNP9/MtAvMS2Dyc0UviRZ

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

laboratoriogenfarp.linkpc.net:3490

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
windefendllinici.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1584-64-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/1584-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1584-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1584-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1584-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1584-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1420-88-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/1420-91-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1420-93-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

windefendllinici.exewindefendllinici.exe

pid process

1852 windefendllinici.exe
1420 windefendllinici.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exewindefendllinici.exe

pid process

740 cmd.exe
1852 windefendllinici.exe

pid	process
1852	windefendllinici.exe
1420	windefendllinici.exe

pid	process
740	cmd.exe
1852	windefendllinici.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exewindefendllinici.exe

description	pid	process	target process
PID 1600 set thread context of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1852 set thread context of 1420	1852	windefendllinici.exe	windefendllinici.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1096 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1644 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe

pid process

1584 0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe

description pid process

Token: SeDebugPrivilege 1584 0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe

pid	process
1096	schtasks.exe

pid	process
1644	timeout.exe

pid	process
1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe

description	pid	process
Token: SeDebugPrivilege	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.execmd.execmd.exewindefendllinici.exe

description	pid	process	target process
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1600 wrote to memory of 1584	1600	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
PID 1584 wrote to memory of 304	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 1584 wrote to memory of 304	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 1584 wrote to memory of 304	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 1584 wrote to memory of 304	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 1584 wrote to memory of 740	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 1584 wrote to memory of 740	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 1584 wrote to memory of 740	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 1584 wrote to memory of 740	1584	0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe	cmd.exe
PID 304 wrote to memory of 1096	304	cmd.exe	schtasks.exe
PID 304 wrote to memory of 1096	304	cmd.exe	schtasks.exe
PID 304 wrote to memory of 1096	304	cmd.exe	schtasks.exe
PID 304 wrote to memory of 1096	304	cmd.exe	schtasks.exe
PID 740 wrote to memory of 1644	740	cmd.exe	timeout.exe
PID 740 wrote to memory of 1644	740	cmd.exe	timeout.exe
PID 740 wrote to memory of 1644	740	cmd.exe	timeout.exe
PID 740 wrote to memory of 1644	740	cmd.exe	timeout.exe
PID 740 wrote to memory of 1852	740	cmd.exe	windefendllinici.exe
PID 740 wrote to memory of 1852	740	cmd.exe	windefendllinici.exe
PID 740 wrote to memory of 1852	740	cmd.exe	windefendllinici.exe
PID 740 wrote to memory of 1852	740	cmd.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe
PID 1852 wrote to memory of 1420	1852	windefendllinici.exe	windefendllinici.exe

C:\Users\Admin\AppData\Local\Temp\0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
"C:\Users\Admin\AppData\Local\Temp\0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe
"C:\Users\Admin\AppData\Local\Temp\0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windefendllinici" /tr '"C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "windefendllinici" /tr '"C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe"'
4⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3219.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1644

C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe
"C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe
"C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe"
5⤵
- Executes dropped EXE
PID:1420

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3219.tmp.bat
Filesize
163B

MD5
39e3b1b92b720d7108983283e99e1108

SHA1
250400cc2d53ce7fff1799d486b42b19713183ac

SHA256
99b81b46e8875713542fd0eb440c8bbbf6da46c7e30de656c6dff890409c8744

SHA512
4c4cfcb759eefb6a69e4d7920b1be2e3481c71c5773091ad390b303a825d2ec4a2dcee4d7b7ffe73f14042b384706bc90813da10ce4081f84c53f97677c99234

Download Submit
C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe
Filesize
375KB

MD5
fe6df2be242b8f051d1031ac17f97788

SHA1
836da0ac005c03940cc3401d83528326a2148a56

SHA256
0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d

SHA512
bb930da5561f33315f480b2c0347e49de208d4fcf178f4dcb94e4b24a347ef6ec1dededc5ff4cd0867f35d6e36f7bfb5f8560756dabc9f09c611863058993ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe
Filesize
375KB

MD5
fe6df2be242b8f051d1031ac17f97788

SHA1
836da0ac005c03940cc3401d83528326a2148a56

SHA256
0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d

SHA512
bb930da5561f33315f480b2c0347e49de208d4fcf178f4dcb94e4b24a347ef6ec1dededc5ff4cd0867f35d6e36f7bfb5f8560756dabc9f09c611863058993ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\windefendllinici.exe
Filesize
375KB

MD5
fe6df2be242b8f051d1031ac17f97788

SHA1
836da0ac005c03940cc3401d83528326a2148a56

SHA256
0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d

SHA512
bb930da5561f33315f480b2c0347e49de208d4fcf178f4dcb94e4b24a347ef6ec1dededc5ff4cd0867f35d6e36f7bfb5f8560756dabc9f09c611863058993ae0

Download Submit
\Users\Admin\AppData\Local\Temp\windefendllinici.exe
Filesize
375KB

MD5
fe6df2be242b8f051d1031ac17f97788

SHA1
836da0ac005c03940cc3401d83528326a2148a56

SHA256
0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d

SHA512
bb930da5561f33315f480b2c0347e49de208d4fcf178f4dcb94e4b24a347ef6ec1dededc5ff4cd0867f35d6e36f7bfb5f8560756dabc9f09c611863058993ae0

Download Submit
\Users\Admin\AppData\Local\Temp\windefendllinici.exe
Filesize
375KB

MD5
fe6df2be242b8f051d1031ac17f97788

SHA1
836da0ac005c03940cc3401d83528326a2148a56

SHA256
0dc0afcacc62e67589ff14452f5e1fc749c36f70ecedbed56b39c0e0081c2e3d

SHA512
bb930da5561f33315f480b2c0347e49de208d4fcf178f4dcb94e4b24a347ef6ec1dededc5ff4cd0867f35d6e36f7bfb5f8560756dabc9f09c611863058993ae0

Download Submit
memory/304-70-0x0000000000000000-mapping.dmp

Download
memory/740-71-0x0000000000000000-mapping.dmp

Download
memory/1096-73-0x0000000000000000-mapping.dmp

Download
memory/1420-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1420-88-0x000000000040C75E-mapping.dmp

Download
memory/1420-91-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-64-0x000000000040C75E-mapping.dmp

Download
memory/1584-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1600-54-0x0000000000050000-0x00000000000B4000-memory.dmp

Filesize
400KB

Download
memory/1600-56-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1600-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-57-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/1644-74-0x0000000000000000-mapping.dmp

Download
memory/1852-79-0x00000000000A0000-0x0000000000104000-memory.dmp

Filesize
400KB

Download
memory/1852-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads