asyncrat | 5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8

General

Target

LocalSecurity.exe
Size

45KB
MD5

82e07ce7c9183c9d8098c006a5717ead
SHA1

f02f8f5374af906765b5fa1c4758252611767a19
SHA256

5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
SHA512

0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
SSDEEP

768:zujYm1TUET1/WUTQV9mo2qzNRt4TOPIvzjbrgX3iau2uCBVgAxm9VldBDZvx:zujYm1TU0I2kE3v3bUXSz29VgRzdvx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:7707

127.0.0.1:1604

127.0.0.1:8808

127.0.0.1:6606

127.0.0.1:17172

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:1604

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:17172

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Runtime Broker.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/764-54-0x0000000000A50000-0x0000000000A62000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\Runtime Broker.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe	asyncrat
behavioral1/memory/1720-65-0x0000000001100000-0x0000000001112000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Runtime Broker.exe

pid process

1720 Runtime Broker.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

952 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

884 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

976 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

LocalSecurity.exe

pid process

764 LocalSecurity.exe

pid	process
1720	Runtime Broker.exe

pid	process
952	cmd.exe

pid	process
884	schtasks.exe

pid	process
976	timeout.exe

pid	process
764	LocalSecurity.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LocalSecurity.exeRuntime Broker.exe

description	pid	process
Token: SeDebugPrivilege	764	LocalSecurity.exe
Token: SeDebugPrivilege	1720	Runtime Broker.exe
Token: SeDebugPrivilege	1720	Runtime Broker.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

LocalSecurity.execmd.execmd.exe

description	pid	process	target process
PID 764 wrote to memory of 336	764	LocalSecurity.exe	cmd.exe
PID 764 wrote to memory of 336	764	LocalSecurity.exe	cmd.exe
PID 764 wrote to memory of 336	764	LocalSecurity.exe	cmd.exe
PID 764 wrote to memory of 336	764	LocalSecurity.exe	cmd.exe
PID 764 wrote to memory of 952	764	LocalSecurity.exe	cmd.exe
PID 764 wrote to memory of 952	764	LocalSecurity.exe	cmd.exe
PID 764 wrote to memory of 952	764	LocalSecurity.exe	cmd.exe
PID 764 wrote to memory of 952	764	LocalSecurity.exe	cmd.exe
PID 336 wrote to memory of 884	336	cmd.exe	schtasks.exe
PID 336 wrote to memory of 884	336	cmd.exe	schtasks.exe
PID 336 wrote to memory of 884	336	cmd.exe	schtasks.exe
PID 336 wrote to memory of 884	336	cmd.exe	schtasks.exe
PID 952 wrote to memory of 976	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 976	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 976	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 976	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 1720	952	cmd.exe	Runtime Broker.exe
PID 952 wrote to memory of 1720	952	cmd.exe	Runtime Broker.exe
PID 952 wrote to memory of 1720	952	cmd.exe	Runtime Broker.exe
PID 952 wrote to memory of 1720	952	cmd.exe	Runtime Broker.exe

C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe
"C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
3⤵
- Creates scheduled task(s)
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF00A.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:976

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF00A.tmp.bat
Filesize
158B

MD5
5ff383a08d7eab6cc6bcf4b93c3ed57d

SHA1
dfab047e2b29e46a2f95e1825cb45d1ee000954d

SHA256
046a62fceff391ed6d2b167cb287a084d4c429012d3591e8e4df405a920200f1

SHA512
a589ace32b57f036ae72799bc0cb10ef7bac5384d916fd4242715d9df673ec524a46cf2c67558bbc1c1f6008612b3df65bb6980d6da54b43d94e3c0ebdc8a38f

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
Filesize
45KB

MD5
82e07ce7c9183c9d8098c006a5717ead

SHA1
f02f8f5374af906765b5fa1c4758252611767a19

SHA256
5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8

SHA512
0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
Filesize
45KB

MD5
82e07ce7c9183c9d8098c006a5717ead

SHA1
f02f8f5374af906765b5fa1c4758252611767a19

SHA256
5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8

SHA512
0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce

Download Submit
\Users\Admin\AppData\Roaming\Runtime Broker.exe
Filesize
45KB

MD5
82e07ce7c9183c9d8098c006a5717ead

SHA1
f02f8f5374af906765b5fa1c4758252611767a19

SHA256
5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8

SHA512
0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce

Download Submit
memory/336-56-0x0000000000000000-mapping.dmp

Download
memory/764-54-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/764-55-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/884-58-0x0000000000000000-mapping.dmp

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/976-60-0x0000000000000000-mapping.dmp

Download
memory/1720-63-0x0000000000000000-mapping.dmp

Download
memory/1720-65-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads