asyncrat | b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f

General

Target

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Size

413KB
MD5

7e09977213008f9aedf2d632e12d6e07
SHA1

7faec1e3a1d3dee4e6d94177a2f9ddad14995230
SHA256

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f
SHA512

0149d3c5c42086d965288c6e1ef064f2b5bc1a904088586a48c70f4c696d73736e5293522b0039e1a5228437f04f87dd729b4f6ce6c5502bcdb17cdfdf84a903
SSDEEP

6144:6iHmCccfg4FZA+wELY2dq1E3jH2GG+9Ji5SJ19QSAu0xlEDxVk4LZEkVF:6iJG+wwdq1I2GXFJDQZu0/SxZDF

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:81

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Choromeupdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1252-56-0x00000000003E0000-0x00000000003F2000-memory.dmp	asyncrat
behavioral1/memory/932-70-0x0000000000440000-0x0000000000452000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Choromeupdate.exe

pid process

932 Choromeupdate.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

288 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1256 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1432 timeout.exe

pid	process
932	Choromeupdate.exe

pid	process
288	cmd.exe

pid	process
1256	schtasks.exe

pid	process
1432	timeout.exe

Modifies registry class 7 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exeChoromeupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CID\{41005900-6600-6700-5A00-6B0044003600}\1 = "7GTeXXjfHpFaArmUOxGdhFGD28tfF5mt6UlSTUpwUWrh9nlRHsCVOPJSwJWdpU+1BeHL1GHfPtEc8ZvgNZPPGZHKcbcR0F/lvh1Hfj3DlL/wnqoxugECuhzOSX6uH7S0dVA78T0n4QOHGjfHtaqg8cRlmDLd9Epp1sNG56SdE3zse7hrZYuHM8XIyy1fERp4OQvupJHMsrnrurplu7PXYNaa5fehmpieRHpcvEKttco892tBjTY/MuDudGrVPjkw/jVfAsvVPxAATh1fTDG/A4r/iH51KYGGG3TwDHk0dWnawoDZpDWtk/7UTMJrTHRG5kayUNgl8iFDY5Iv+jGF14B5ZTYyl9Z6U+DCKOOaWYWociIAUeZu7RJxyiSjCehlu11tBdn5SGLuBz5rKG3eKJINnxp0rleAaWp/y2VozwvxUnfOoayv1J8UpplSNmnjbMRZUV6pM43dUSZfccxHcw=="	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CID\{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CID\{69006B00-6C00-6800-6400-390044007000}\1 = "1imbooJ2S32kh53K81PZoCawtTSc0rZP+CilR1QYEBFtjpl3NG566qCVKwkSRgKclOSgpMD1CvMuavK7ilywasy5QIyRPjeYanZGEFezQJ+wkE514/UCveSnxHPINlPCT2ZunBxbt+vdhZWfgD9aIQni9zoI93N0NNsubMwzfht3urLSlRuTxrjQs+UAOIwQ"	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CID\{41005900-6600-6700-5A00-6B0044003600}\1 = "7GTeXXjfHpFaArmUOxGdhFGD28tfF5mt6UlSTUpwUWrh9nlRHsCVOPJSwJWdpU+1BeHL1GHfPtEc8ZvgNZPPGZHKcbcR0F/lvh1Hfj3DlL/wnqoxugECuhzOSX6uH7S0dVA78T0n4QOHGjfHtaqg8cRlmDLd9Epp1sNG56SdE3zse7hrZYuHM8XIyy1fERp4OQvupJHMsrnrurplu7PXYNaa5fehmpieRHpcvEKttco892tBjTY/MuDudGrVPjkw/jVfAsvVPxAATh1fTDG/A4r/iH51KYGGG3TwDHk0dWnawoDZpDWtk/7UTMJrTHRG5kayUNgl8iFDY5Iv+jGF14B5ZTYyl9Z6U+DCKOOaWYWociIAUeZu7RJxyiSjCehlu11tBdn5SGLuBz5rKG3eKJINnxp0rleAaWp/y2VozwvxUnfOoayv1J8UpplSNmnjbMRZUV6pM43dUSZfccxHcw=="	Choromeupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CID\{69006B00-6C00-6800-6400-390044007000}\1 = "3xkjEtFfdc0t8jiup5JzgeS1cdQXFemf7+WeyJ4A1+/RaJHOlUXzsWuWebzddn2uETLskmfo+KGKnpabAyqAR09E+I5OkBp4UxvRqWZ9FmkO3cVDrcKMoyGCigy6JsIE0myycdRNvh4xH8paFgzS6lKe4pmqCDVgHgoAlPYGhP7f1K3aOfAAATjcCWgIWSbS"	Choromeupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CID\{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CID	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

NTFS ADS 12 IoCs

Processes:

Choromeupdate.exeb86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming:{41005900-6600-6700-5A00-6B0044003600}	Choromeupdate.exe
File created	C:\MSOCache:{41005900-6600-6700-5A00-6B0044003600}	Choromeupdate.exe
File created	C:\Users\Admin\AppData\Roaming:{69006B00-6C00-6800-6400-390044007000}	Choromeupdate.exe
File created	C:\Users\Admin\Documents\My Music:{69006B00-6C00-6800-6400-390044007000}	Choromeupdate.exe
File created	C:\MSOCache:{69006B00-6C00-6800-6400-390044007000}	Choromeupdate.exe
File created	C:\Users\Admin\AppData\Local\Temp:{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\Users\Admin\Documents\My Music:{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\MSOCache:{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\Users\Admin\Documents\My Music:{41005900-6600-6700-5A00-6B0044003600}	Choromeupdate.exe
File created	C:\Users\Admin\AppData\Local\Temp:{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\Users\Admin\Documents\My Music:{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\MSOCache:{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

pid process

1252 b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

pid	process
1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exeChoromeupdate.exe

description	pid	process
Token: SeDebugPrivilege	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Token: SeDebugPrivilege	932	Choromeupdate.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.execmd.execmd.exe

description	pid	process	target process
PID 1252 wrote to memory of 1376	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1252 wrote to memory of 1376	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1252 wrote to memory of 1376	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1252 wrote to memory of 1376	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1252 wrote to memory of 288	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1252 wrote to memory of 288	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1252 wrote to memory of 288	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1252 wrote to memory of 288	1252	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1376 wrote to memory of 1256	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 1256	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 1256	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 1256	1376	cmd.exe	schtasks.exe
PID 288 wrote to memory of 1432	288	cmd.exe	timeout.exe
PID 288 wrote to memory of 1432	288	cmd.exe	timeout.exe
PID 288 wrote to memory of 1432	288	cmd.exe	timeout.exe
PID 288 wrote to memory of 1432	288	cmd.exe	timeout.exe
PID 288 wrote to memory of 932	288	cmd.exe	Choromeupdate.exe
PID 288 wrote to memory of 932	288	cmd.exe	Choromeupdate.exe
PID 288 wrote to memory of 932	288	cmd.exe	Choromeupdate.exe
PID 288 wrote to memory of 932	288	cmd.exe	Choromeupdate.exe
PID 288 wrote to memory of 932	288	cmd.exe	Choromeupdate.exe
PID 288 wrote to memory of 932	288	cmd.exe	Choromeupdate.exe
PID 288 wrote to memory of 932	288	cmd.exe	Choromeupdate.exe

C:\Users\Admin\AppData\Local\Temp\b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
"C:\Users\Admin\AppData\Local\Temp\b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Choromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\Choromeupdate.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Choromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\Choromeupdate.exe"'
3⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6B42.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1432

C:\Users\Admin\AppData\Roaming\Choromeupdate.exe
"C:\Users\Admin\AppData\Roaming\Choromeupdate.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Isolated Storage\{69006B00-6C00-6800-6400-390044007000}
Filesize
384B

MD5
a14ab38c9a14ba45b0bf06c96a6f4df6

SHA1
6ca9fea3745d97405c4ff145fba5333b59bf4275

SHA256
78ffbd2689c6d726a52eedf530358140ac2b2a854defef12e91502e17dde3fb6

SHA512
a4ad2db866faa15c015ca9e45abdc1955ad1b4573ab17f1165edfe9c10bc11219cd1302f5597ae189b629db4968838d3e6f05d77140ccb0414faf66d86481d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B42.tmp.bat
Filesize
157B

MD5
e3b5a109a8c8b3145671eece7df91013

SHA1
dc07ee4a8d2c746bbcd48ec2570134036abbaee5

SHA256
9f4e40f5fcf52633800ed3aa24884307284f25f4df1abf813e19c0d2051ac550

SHA512
4df411e6fd83c202b392dbb74e009186a9595b90c5d197fec0d3ff664585871cdd1b61b6e60b340a898174f1131499a3cf7a0fa7716ba519ce3c62c41327f555

Download Submit
C:\Users\Admin\AppData\Roaming\Choromeupdate.exe
Filesize
413KB

MD5
7e09977213008f9aedf2d632e12d6e07

SHA1
7faec1e3a1d3dee4e6d94177a2f9ddad14995230

SHA256
b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f

SHA512
0149d3c5c42086d965288c6e1ef064f2b5bc1a904088586a48c70f4c696d73736e5293522b0039e1a5228437f04f87dd729b4f6ce6c5502bcdb17cdfdf84a903

Download Submit
C:\Users\Admin\AppData\Roaming\Choromeupdate.exe
Filesize
413KB

MD5
7e09977213008f9aedf2d632e12d6e07

SHA1
7faec1e3a1d3dee4e6d94177a2f9ddad14995230

SHA256
b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f

SHA512
0149d3c5c42086d965288c6e1ef064f2b5bc1a904088586a48c70f4c696d73736e5293522b0039e1a5228437f04f87dd729b4f6ce6c5502bcdb17cdfdf84a903

Download Submit
\Users\Admin\AppData\Roaming\Choromeupdate.exe
Filesize
413KB

MD5
7e09977213008f9aedf2d632e12d6e07

SHA1
7faec1e3a1d3dee4e6d94177a2f9ddad14995230

SHA256
b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f

SHA512
0149d3c5c42086d965288c6e1ef064f2b5bc1a904088586a48c70f4c696d73736e5293522b0039e1a5228437f04f87dd729b4f6ce6c5502bcdb17cdfdf84a903

Download Submit
memory/288-59-0x0000000000000000-mapping.dmp

Download
memory/932-65-0x0000000000000000-mapping.dmp

Download
memory/932-67-0x0000000000DB0000-0x0000000000E1E000-memory.dmp

Filesize
440KB

Download
memory/932-70-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1252-56-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1252-54-0x0000000000120000-0x000000000018E000-memory.dmp

Filesize
440KB

Download
memory/1252-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1256-60-0x0000000000000000-mapping.dmp

Download
memory/1376-57-0x0000000000000000-mapping.dmp

Download
memory/1432-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads