asyncrat | 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b

General

Target

79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
Size

73KB
MD5

10482931f17f3be85f40317d11e58018
SHA1

34a80a5d490c6d0bdc78e8f391557ca08683bb51
SHA256

79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b
SHA512

32518611ed1ed3a627be57a6cf92b9fed5c5c955d39335c630cdbede72134ec601ac9ad075b1de3598a8ccc7f74a27b9bc2b8ad95093cf180e21225db8161263
SSDEEP

1536:5SS/pmHEC0fEG7MNViGozuJZOiEnJuNCIzZpZ:5RpPC0fEG7uiGoCJYi+Jcpzt

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Executes dropped EXE 1 IoCs

Processes:

Server.exe

pid process

1020 Server.exe

pid	process
1020	Server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3048 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3220 timeout.exe

pid	process
3048	schtasks.exe

pid	process
3220	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe

pid	process
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exeServer.exe

description	pid	process
Token: SeDebugPrivilege	2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
Token: SeDebugPrivilege	1020	Server.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.execmd.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 852	2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe	cmd.exe
PID 2148 wrote to memory of 852	2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe	cmd.exe
PID 2148 wrote to memory of 852	2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe	cmd.exe
PID 2148 wrote to memory of 4772	2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe	cmd.exe
PID 2148 wrote to memory of 4772	2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe	cmd.exe
PID 2148 wrote to memory of 4772	2148	79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe	cmd.exe
PID 852 wrote to memory of 3048	852	cmd.exe	schtasks.exe
PID 852 wrote to memory of 3048	852	cmd.exe	schtasks.exe
PID 852 wrote to memory of 3048	852	cmd.exe	schtasks.exe
PID 4772 wrote to memory of 3220	4772	cmd.exe	timeout.exe
PID 4772 wrote to memory of 3220	4772	cmd.exe	timeout.exe
PID 4772 wrote to memory of 3220	4772	cmd.exe	timeout.exe
PID 4772 wrote to memory of 1020	4772	cmd.exe	Server.exe
PID 4772 wrote to memory of 1020	4772	cmd.exe	Server.exe
PID 4772 wrote to memory of 1020	4772	cmd.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
"C:\Users\Admin\AppData\Local\Temp\79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Server" /tr '"C:\Users\Admin\AppData\Roaming\Server.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Server" /tr '"C:\Users\Admin\AppData\Roaming\Server.exe"'
3⤵
- Creates scheduled task(s)
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC72D.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3220

C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC72D.tmp.bat
Filesize
150B

MD5
ca7026115427aa79ec9ec03d96d3a7c5

SHA1
bdcf12f5b51434053286b97f1e4363d02ac4368a

SHA256
ece6abeac2ce713c4b583769d7f913a6c97046db741d91d7a85b9841d38d041d

SHA512
ef9bf5e33849e8ec5e0e9d549e0fe8aa45cc7aeff7974ba6514a2b41789245e7119c45f6f2666c253c0a63d2cf19096312a21509eaada2fe1ce974b81f682668

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
73KB

MD5
10482931f17f3be85f40317d11e58018

SHA1
34a80a5d490c6d0bdc78e8f391557ca08683bb51

SHA256
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b

SHA512
32518611ed1ed3a627be57a6cf92b9fed5c5c955d39335c630cdbede72134ec601ac9ad075b1de3598a8ccc7f74a27b9bc2b8ad95093cf180e21225db8161263

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
73KB

MD5
10482931f17f3be85f40317d11e58018

SHA1
34a80a5d490c6d0bdc78e8f391557ca08683bb51

SHA256
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b

SHA512
32518611ed1ed3a627be57a6cf92b9fed5c5c955d39335c630cdbede72134ec601ac9ad075b1de3598a8ccc7f74a27b9bc2b8ad95093cf180e21225db8161263

Download Submit
memory/852-134-0x0000000000000000-mapping.dmp

Download
memory/1020-139-0x0000000000000000-mapping.dmp

Download
memory/2148-132-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2148-133-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/3048-136-0x0000000000000000-mapping.dmp

Download
memory/3220-138-0x0000000000000000-mapping.dmp

Download
memory/4772-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads