Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2023 01:47
General
-
Target
AsyncClient.exe
-
Size
47KB
-
MD5
c72dd7c3ff0500ce16dbb6ce2264584a
-
SHA1
497a000e2d327a7a673bfca3d37fb14bb04ede85
-
SHA256
94a21aa6a814e7648dd11f7ee355c768b10de67aee343d674648f7c963da113e
-
SHA512
7e2dc492ea99a97c29e511ff78ca8feb712d965e9abe4fc6418527c6d61cc12c4e8776ffaf5b44bc9fd5cf9e25886a39a9ad75c59a900ef64330da1ecd05e837
-
SSDEEP
768:Ou/6ZTgoiziWUUM9rmo2qrwLh/bj5Qp9PICMPaSc0bSVir+KlvYQXgdEMABDZQx:Ou/6ZTgle2J5CMy4bSVC++WWdQx
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
oxy01.duckdns.org:6606
oxy01.duckdns.org:7707
oxy01.duckdns.org:8808
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AsyncClient.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/4644-132-0x0000000000170000-0x0000000000182000-memory.dmp asyncrat -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features AsyncClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" AsyncClient.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4644 set thread context of 4168 4644 AsyncClient.exe 90 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 856 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 856 taskmgr.exe Token: SeSystemProfilePrivilege 856 taskmgr.exe Token: SeCreateGlobalPrivilege 856 taskmgr.exe Token: SeDebugPrivilege 4644 AsyncClient.exe Token: SeDebugPrivilege 4644 AsyncClient.exe Token: SeDebugPrivilege 1412 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe 856 taskmgr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 4168 4644 AsyncClient.exe 90 PID 4644 wrote to memory of 1412 4644 AsyncClient.exe 91 PID 4644 wrote to memory of 1412 4644 AsyncClient.exe 91 PID 4644 wrote to memory of 1412 4644 AsyncClient.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4168
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:856