asyncrat | 14d3276ca733ff2efebeb3208f7e233da4df8735514c216e5fa52a83e9110f8b

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-01-2023 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aws.exe
Size

85KB
MD5

63fb22e516c5c5f243b06b35883956f9
SHA1

b915cdc9c0a9f7afe7a28d8a47e778a2b99f8374
SHA256

14d3276ca733ff2efebeb3208f7e233da4df8735514c216e5fa52a83e9110f8b
SHA512

c012d8ac37a2742218c14812e50cb456ed3fe2df954059ce221a5c971746f74c4e940e37eb81443dd10df7a430e227b039a33d8264bbf42874d9076737808955
SSDEEP

1536:Yr4lbI9/CJxFz3FI8Cwof4wJ9JDUiPDMNkGbbawfpaSGRZVclN30/yRmP:O41I9/CJxFz3FI8Cwo7J7DRDMOGbbagG

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

192.253.245.243:7771

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
Windows Defender Security.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Defender Security.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	asyncrat
behavioral1/memory/472-64-0x0000000000EE0000-0x0000000000EF6000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

Windows Security.exeWindows Defender Security.exeWindows Security Service.exe

pid process

276 Windows Security.exe
472 Windows Defender Security.exe
1816 Windows Security Service.exe
Loads dropped DLL 3 IoCs

Processes:

aws.exeWindows Security.exe

pid process

1700 aws.exe
1700 aws.exe
276 Windows Security.exe

pid	process
276	Windows Security.exe
472	Windows Defender Security.exe
1816	Windows Security Service.exe

pid	process
1700	aws.exe
1700	aws.exe
276	Windows Security.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Service = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Security Windows Security Windows Security Service\\Windows Security Service.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Windows Security.exeWindows Security Service.exe

pid process

276 Windows Security.exe
1816 Windows Security Service.exe

pid	process
276	Windows Security.exe
1816	Windows Security Service.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Defender Security.exe

pid	process
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe
472	Windows Defender Security.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Windows Defender Security.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	472	Windows Defender Security.exe
Token: SeDebugPrivilege	472	Windows Defender Security.exe
Token: SeDebugPrivilege	1852	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

aws.exeWindows Security.exe

description	pid	process	target process
PID 1700 wrote to memory of 276	1700	aws.exe	Windows Security.exe
PID 1700 wrote to memory of 276	1700	aws.exe	Windows Security.exe
PID 1700 wrote to memory of 276	1700	aws.exe	Windows Security.exe
PID 1700 wrote to memory of 276	1700	aws.exe	Windows Security.exe
PID 1700 wrote to memory of 472	1700	aws.exe	Windows Defender Security.exe
PID 1700 wrote to memory of 472	1700	aws.exe	Windows Defender Security.exe
PID 1700 wrote to memory of 472	1700	aws.exe	Windows Defender Security.exe
PID 1700 wrote to memory of 472	1700	aws.exe	Windows Defender Security.exe
PID 276 wrote to memory of 1852	276	Windows Security.exe	powershell.exe
PID 276 wrote to memory of 1852	276	Windows Security.exe	powershell.exe
PID 276 wrote to memory of 1852	276	Windows Security.exe	powershell.exe
PID 276 wrote to memory of 1852	276	Windows Security.exe	powershell.exe
PID 276 wrote to memory of 1816	276	Windows Security.exe	Windows Security Service.exe
PID 276 wrote to memory of 1816	276	Windows Security.exe	Windows Security Service.exe
PID 276 wrote to memory of 1816	276	Windows Security.exe	Windows Security Service.exe
PID 276 wrote to memory of 1816	276	Windows Security.exe	Windows Security Service.exe

C:\Users\Admin\AppData\Local\Temp\aws.exe
"C:\Users\Admin\AppData\Local\Temp\aws.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\Windows Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Security.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Service';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Service' -Value '"C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe"' -PropertyType 'String'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1816

C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
Filesize
63KB

MD5
74254d6ccfbbc7f1696022dde5f9fee9

SHA1
e2ed9d4754f788d85d4d73f5a67a6b19b4a2bbb4

SHA256
26e76180b530f6e363624dd6a38c10a9fe0fd91abdd513c618f9b39ea24abec0

SHA512
ec2109e8d2182aac33668fa156b0e10f7f5ea3829bd19207805df052f4f789e564e387fb3fef975d2a05a0cda9427b9c1dc4f01e78e58f60a0937548715f7831

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
Filesize
63KB

MD5
74254d6ccfbbc7f1696022dde5f9fee9

SHA1
e2ed9d4754f788d85d4d73f5a67a6b19b4a2bbb4

SHA256
26e76180b530f6e363624dd6a38c10a9fe0fd91abdd513c618f9b39ea24abec0

SHA512
ec2109e8d2182aac33668fa156b0e10f7f5ea3829bd19207805df052f4f789e564e387fb3fef975d2a05a0cda9427b9c1dc4f01e78e58f60a0937548715f7831

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe
Filesize
42.3MB

MD5
b5a5ca7c1241866fb498abe51574a4da

SHA1
2b11ad733a68470ca2e304cd732b69a80baa0f68

SHA256
c6f2e5838ba397b64febc92fa4e567d9d1440a2ff9376bd3fdd745ad95a04b69

SHA512
e85003d98f5c44508661196a8811b6ba804d03a4aa68144d847c3793c2d35507120c707975e418eb288122877ce50f0eaffa97d1c768dfcde71d1f061926dcfc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe
Filesize
42.3MB

MD5
b5a5ca7c1241866fb498abe51574a4da

SHA1
2b11ad733a68470ca2e304cd732b69a80baa0f68

SHA256
c6f2e5838ba397b64febc92fa4e567d9d1440a2ff9376bd3fdd745ad95a04b69

SHA512
e85003d98f5c44508661196a8811b6ba804d03a4aa68144d847c3793c2d35507120c707975e418eb288122877ce50f0eaffa97d1c768dfcde71d1f061926dcfc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security.exe
Filesize
10KB

MD5
bd222e0e523e4c9a20ddb7625a44b543

SHA1
63caaa470b36d26eb2f22728568a2c974221e2ad

SHA256
19825a869b9085d7c2ab5f634fa72b9a0b4779c9d9194e1b408e147309bcde7b

SHA512
03d78834d4ac7b78f33d3d694528ba1e34cb0f91f9567a1b26f39ec8030043c59c5248ad623718071e779fea892016c303cd10711c51d66d7cfdc06ea499916e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security.exe
Filesize
10KB

MD5
bd222e0e523e4c9a20ddb7625a44b543

SHA1
63caaa470b36d26eb2f22728568a2c974221e2ad

SHA256
19825a869b9085d7c2ab5f634fa72b9a0b4779c9d9194e1b408e147309bcde7b

SHA512
03d78834d4ac7b78f33d3d694528ba1e34cb0f91f9567a1b26f39ec8030043c59c5248ad623718071e779fea892016c303cd10711c51d66d7cfdc06ea499916e

Download Submit
\Users\Admin\AppData\Roaming\Windows Defender Security.exe
Filesize
63KB

MD5
74254d6ccfbbc7f1696022dde5f9fee9

SHA1
e2ed9d4754f788d85d4d73f5a67a6b19b4a2bbb4

SHA256
26e76180b530f6e363624dd6a38c10a9fe0fd91abdd513c618f9b39ea24abec0

SHA512
ec2109e8d2182aac33668fa156b0e10f7f5ea3829bd19207805df052f4f789e564e387fb3fef975d2a05a0cda9427b9c1dc4f01e78e58f60a0937548715f7831

Download Submit
\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe
Filesize
42.3MB

MD5
b5a5ca7c1241866fb498abe51574a4da

SHA1
2b11ad733a68470ca2e304cd732b69a80baa0f68

SHA256
c6f2e5838ba397b64febc92fa4e567d9d1440a2ff9376bd3fdd745ad95a04b69

SHA512
e85003d98f5c44508661196a8811b6ba804d03a4aa68144d847c3793c2d35507120c707975e418eb288122877ce50f0eaffa97d1c768dfcde71d1f061926dcfc

Download Submit
\Users\Admin\AppData\Roaming\Windows Security.exe
Filesize
10KB

MD5
bd222e0e523e4c9a20ddb7625a44b543

SHA1
63caaa470b36d26eb2f22728568a2c974221e2ad

SHA256
19825a869b9085d7c2ab5f634fa72b9a0b4779c9d9194e1b408e147309bcde7b

SHA512
03d78834d4ac7b78f33d3d694528ba1e34cb0f91f9567a1b26f39ec8030043c59c5248ad623718071e779fea892016c303cd10711c51d66d7cfdc06ea499916e

Download Submit
memory/276-65-0x0000000000060000-0x0000000000068000-memory.dmp

Filesize
32KB

Download
memory/276-56-0x0000000000000000-mapping.dmp

Download
memory/472-59-0x0000000000000000-mapping.dmp

Download
memory/472-64-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

Filesize
88KB

Download
memory/1700-63-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1816-70-0x0000000000000000-mapping.dmp

Download
memory/1816-73-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/1852-67-0x0000000000000000-mapping.dmp

Download
memory/1852-75-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-76-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download