asyncrat | a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 11:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
Size

397KB
MD5

52195e2a7f97c64cae5e8a29526e331b
SHA1

8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757
SHA256

a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b
SHA512

44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b
SSDEEP

6144:qXMHJuU7CtrrwR9LXc5XQlDRHspjwYOvFoDngLV6yuY1HeO:q6bCprwRJsNTpjwYk+DnGVZu0+O

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3392-146-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

pid	Process
4892	wintskl.exe
396	wintskl.exe
3132	wintskl.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wintskl.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4892 set thread context of 3132	4892	wintskl.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4160	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3232	timeout.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3328	powershell.exe
3328	powershell.exe
4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
2216	powershell.exe
2216	powershell.exe
4892	wintskl.exe
4892	wintskl.exe
4892	wintskl.exe
4892	wintskl.exe
4892	wintskl.exe
4892	wintskl.exe
3132	wintskl.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
Token: SeDebugPrivilege	3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	4892	wintskl.exe
Token: SeDebugPrivilege	3132	wintskl.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3328	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	81
PID 4424 wrote to memory of 3328	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	81
PID 4424 wrote to memory of 3328	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	81
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 4424 wrote to memory of 3392	4424	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	89
PID 3392 wrote to memory of 4160	3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	91
PID 3392 wrote to memory of 4160	3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	91
PID 3392 wrote to memory of 4160	3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	91
PID 3392 wrote to memory of 4492	3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	93
PID 3392 wrote to memory of 4492	3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	93
PID 3392 wrote to memory of 4492	3392	a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe	93
PID 4492 wrote to memory of 3232	4492	cmd.exe	95
PID 4492 wrote to memory of 3232	4492	cmd.exe	95
PID 4492 wrote to memory of 3232	4492	cmd.exe	95
PID 4492 wrote to memory of 4892	4492	cmd.exe	96
PID 4492 wrote to memory of 4892	4492	cmd.exe	96
PID 4492 wrote to memory of 4892	4492	cmd.exe	96
PID 4892 wrote to memory of 2216	4892	wintskl.exe	97
PID 4892 wrote to memory of 2216	4892	wintskl.exe	97
PID 4892 wrote to memory of 2216	4892	wintskl.exe	97
PID 4892 wrote to memory of 396	4892	wintskl.exe	99
PID 4892 wrote to memory of 396	4892	wintskl.exe	99
PID 4892 wrote to memory of 396	4892	wintskl.exe	99
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100
PID 4892 wrote to memory of 3132	4892	wintskl.exe	100

C:\Users\Admin\AppData\Local\Temp\a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
"C:\Users\Admin\AppData\Local\Temp\a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
  C:\Users\Admin\AppData\Local\Temp\a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp203.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3232
  - - C:\Users\Admin\AppData\Roaming\wintskl.exe
      "C:\Users\Admin\AppData\Roaming\wintskl.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        5⤵
        Executes dropped EXE
        
        PID:396
    - - C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wintskl.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
f6ff71a0a5ce17473459d3c157351051

SHA1
b37cd1e768215cf63d49606ae230dc72388c7ed7

SHA256
1bb77af463afbddbdc8802ba304409d25d9e36fed28134cb33a36505c8124253

SHA512
1343d849a91cfbdaa32bbbdbf986ceb293cdf1a3ef22d620034e0bc70243e0c99d8c4a523252f7dc8d5b175c3c08d50125a921d557cfff2e7a1562b66adf3e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp203.tmp.bat

Filesize
150B

MD5
7860edd60309bc4a4cfa31acb8f5d042

SHA1
026af2371a4112cbfcc07fe6284523287917e5e5

SHA256
e0d1c5342f747d138462ac35f1e5cdb1aaef90895f532c0b65c1eb14aa302779

SHA512
e6453c596635bec2900231640cdde7937074f1aefc61f8792a30f3f9e0cffec9743f039eb1708e01511c6a8a9b4ecfc8916ca1a7f5090cbc408093fb7a75f2b1

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
41.5MB

MD5
aaf4a0df30d3af8966f9bc64e69e9ce2

SHA1
b9b8baae45320eb36ef0c671495988e6332a0ba6

SHA256
207b63f0c4a28b1f74133a7785ce15e65a2a15c170bfcff508c0ce0989fb273d

SHA512
b8b006aef7bd0bfa02de1cdd92accf86e3c28a3b8485d885ade28b2ba5bf4e96fa9cdefd78b39ee1a935934c21f96778571998e6578e7de4459eb47e3fafa8e1

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
41.5MB

MD5
aaf4a0df30d3af8966f9bc64e69e9ce2

SHA1
b9b8baae45320eb36ef0c671495988e6332a0ba6

SHA256
207b63f0c4a28b1f74133a7785ce15e65a2a15c170bfcff508c0ce0989fb273d

SHA512
b8b006aef7bd0bfa02de1cdd92accf86e3c28a3b8485d885ade28b2ba5bf4e96fa9cdefd78b39ee1a935934c21f96778571998e6578e7de4459eb47e3fafa8e1

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
41.5MB

MD5
aaf4a0df30d3af8966f9bc64e69e9ce2

SHA1
b9b8baae45320eb36ef0c671495988e6332a0ba6

SHA256
207b63f0c4a28b1f74133a7785ce15e65a2a15c170bfcff508c0ce0989fb273d

SHA512
b8b006aef7bd0bfa02de1cdd92accf86e3c28a3b8485d885ade28b2ba5bf4e96fa9cdefd78b39ee1a935934c21f96778571998e6578e7de4459eb47e3fafa8e1

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
41.5MB

MD5
aaf4a0df30d3af8966f9bc64e69e9ce2

SHA1
b9b8baae45320eb36ef0c671495988e6332a0ba6

SHA256
207b63f0c4a28b1f74133a7785ce15e65a2a15c170bfcff508c0ce0989fb273d

SHA512
b8b006aef7bd0bfa02de1cdd92accf86e3c28a3b8485d885ade28b2ba5bf4e96fa9cdefd78b39ee1a935934c21f96778571998e6578e7de4459eb47e3fafa8e1

Download Submit
memory/3328-140-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/3328-138-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/3328-137-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/3328-139-0x0000000005C60000-0x0000000005C82000-memory.dmp

Filesize
136KB

Download
memory/3328-141-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/3328-144-0x0000000006910000-0x000000000692A000-memory.dmp

Filesize
104KB

Download
memory/3328-142-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/3328-143-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/3392-146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3392-148-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/4424-132-0x00000000000B0000-0x0000000000118000-memory.dmp

Filesize
416KB

Download
memory/4424-135-0x0000000004B50000-0x0000000004B5A000-memory.dmp

Filesize
40KB

Download
memory/4424-134-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/4424-133-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download