asyncrat | c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71

Analysis

max time kernel
180s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AS-0987654567890-09654.pif.exe
Size

152KB
MD5

ba88096aed1d0887ac87096eb02f31d7
SHA1

653ec005de1c9eaa01d0caf97fd4a4c568263df1
SHA256

c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71
SHA512

73323ddb58b6aed0b8a171a2e1aeb10c6e8dcf12cd8bf2240d7e64ec70898cba340016e4659ab3fea909bbddbb3404e0af70396fe8b98ed10b388706b2d6c285
SSDEEP

3072:QEhKzShSycSMPJk+V42ma+9zxIT+DPjMBBYECSF:QBn1PJkS42mBITe+US

Score

10^/10

asyncrat persistence rat upx

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/308-147-0x0000000000400000-0x0000000000427000-memory.dmp	asyncrat

Executes dropped EXE 6 IoCs

Processes:

sbuwe.exesbuwe.exesbuwe.exesbuwe.exesbuwe.exesbuwe.exe

pid process

2232 sbuwe.exe
4460 sbuwe.exe
1032 sbuwe.exe
2172 sbuwe.exe
1504 sbuwe.exe
308 sbuwe.exe

pid	process
2232	sbuwe.exe
4460	sbuwe.exe
1032	sbuwe.exe
2172	sbuwe.exe
1504	sbuwe.exe
308	sbuwe.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/308-147-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sbuwe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oiagigju = "C:\\Users\\Admin\\AppData\\Roaming\\olmg\\ocwwiqlgifp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbuwe.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem"	sbuwe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbuwe.exe

description pid process target process

PID 2232 set thread context of 308 2232 sbuwe.exe sbuwe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

sbuwe.exe

pid process

2232 sbuwe.exe
2232 sbuwe.exe
2232 sbuwe.exe
2232 sbuwe.exe
2232 sbuwe.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sbuwe.exe

description pid process

Token: SeDebugPrivilege 308 sbuwe.exe

description	pid	process	target process
PID 2232 set thread context of 308	2232	sbuwe.exe	sbuwe.exe

pid	process
2232	sbuwe.exe
2232	sbuwe.exe
2232	sbuwe.exe
2232	sbuwe.exe
2232	sbuwe.exe

description	pid	process
Token: SeDebugPrivilege	308	sbuwe.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

AS-0987654567890-09654.pif.exesbuwe.exe

description	pid	process	target process
PID 4592 wrote to memory of 2232	4592	AS-0987654567890-09654.pif.exe	sbuwe.exe
PID 4592 wrote to memory of 2232	4592	AS-0987654567890-09654.pif.exe	sbuwe.exe
PID 4592 wrote to memory of 2232	4592	AS-0987654567890-09654.pif.exe	sbuwe.exe
PID 2232 wrote to memory of 4460	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 4460	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 4460	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 1032	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 1032	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 1032	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 2172	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 2172	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 2172	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 1504	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 1504	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 1504	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 308	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 308	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 308	2232	sbuwe.exe	sbuwe.exe
PID 2232 wrote to memory of 308	2232	sbuwe.exe	sbuwe.exe

C:\Users\Admin\AppData\Local\Temp\AS-0987654567890-09654.pif.exe
"C:\Users\Admin\AppData\Local\Temp\AS-0987654567890-09654.pif.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe" C:\Users\Admin\AppData\Local\Temp\czxzqyursx.swv
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"
3⤵
- Executes dropped EXE
PID:4460

C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"
3⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"
3⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"
3⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\czxzqyursx.swv
Filesize
7KB

MD5
3e89ab76378b853abae0815b619cd419

SHA1
35f8ee8bdba1d5c3f3bf1f8ab13b96357e77ec2a

SHA256
6a6ab3f8800efa664b3d13b58b14478c169575915bea91ef57c9564e256bd929

SHA512
cbddf2239c49c0ef961deb6bd095c59a660ef3d6d039459b2b1fc1884cbd1ddb518c038610a06a118e260a76da29b4c5e638ca1ccccc6f8b391bff3de2c0f0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
Filesize
99KB

MD5
51b1213e3b3ac55e28bdfb6ba8e68d65

SHA1
f7db5144b7510e4f47385d9e892ab0ec5e8b528c

SHA256
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f

SHA512
6652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
Filesize
99KB

MD5
51b1213e3b3ac55e28bdfb6ba8e68d65

SHA1
f7db5144b7510e4f47385d9e892ab0ec5e8b528c

SHA256
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f

SHA512
6652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
Filesize
99KB

MD5
51b1213e3b3ac55e28bdfb6ba8e68d65

SHA1
f7db5144b7510e4f47385d9e892ab0ec5e8b528c

SHA256
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f

SHA512
6652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
Filesize
99KB

MD5
51b1213e3b3ac55e28bdfb6ba8e68d65

SHA1
f7db5144b7510e4f47385d9e892ab0ec5e8b528c

SHA256
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f

SHA512
6652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
Filesize
99KB

MD5
51b1213e3b3ac55e28bdfb6ba8e68d65

SHA1
f7db5144b7510e4f47385d9e892ab0ec5e8b528c

SHA256
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f

SHA512
6652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
Filesize
99KB

MD5
51b1213e3b3ac55e28bdfb6ba8e68d65

SHA1
f7db5144b7510e4f47385d9e892ab0ec5e8b528c

SHA256
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f

SHA512
6652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe
Filesize
99KB

MD5
51b1213e3b3ac55e28bdfb6ba8e68d65

SHA1
f7db5144b7510e4f47385d9e892ab0ec5e8b528c

SHA256
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f

SHA512
6652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scmky.pqz
Filesize
66KB

MD5
1c57157238cd8136733d20228666fc29

SHA1
9a7ed5d6e7413bf269b6725625bd6594dba9eb3e

SHA256
050c95c5cf12d9ccdbca94b80e7b0c59a3670e4571c853ae7d47ccc7f2bbc4cc

SHA512
ba3fc8c777f2e2f4b74ad1a09eafc3d5f64cb92ddb80cac2812268eac05719cb4a8725ca898ef7c8e0f4093775cf9e5b7454ca1c3bd50133236ab76c9362151c

Download Submit
memory/308-145-0x0000000000000000-mapping.dmp

Download
memory/308-147-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/308-148-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/308-149-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/308-150-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/1032-139-0x0000000000000000-mapping.dmp

Download
memory/1504-143-0x0000000000000000-mapping.dmp

Download
memory/2172-141-0x0000000000000000-mapping.dmp

Download
memory/2232-132-0x0000000000000000-mapping.dmp

Download
memory/4460-137-0x0000000000000000-mapping.dmp

Download