asyncrat | b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f

General

Target

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Size

413KB
MD5

7e09977213008f9aedf2d632e12d6e07
SHA1

7faec1e3a1d3dee4e6d94177a2f9ddad14995230
SHA256

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f
SHA512

0149d3c5c42086d965288c6e1ef064f2b5bc1a904088586a48c70f4c696d73736e5293522b0039e1a5228437f04f87dd729b4f6ce6c5502bcdb17cdfdf84a903
SSDEEP

6144:6iHmCccfg4FZA+wELY2dq1E3jH2GG+9Ji5SJ19QSAu0xlEDxVk4LZEkVF:6iJG+wwdq1I2GXFJDQZu0/SxZDF

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Executes dropped EXE 1 IoCs

Processes:

Choromeupdate.exe

pid process

2536 Choromeupdate.exe

pid	process
2536	Choromeupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2728 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2976 timeout.exe

pid	process
2728	schtasks.exe

pid	process
2976	timeout.exe

Modifies registry class 7 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exeChoromeupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CID\{41005900-6600-6700-5A00-6B0044003600}\1 = "7GTeXXjfHpFaArmUOxGdhFGD28tfF5mt6UlSTUpwUWrh9nlRHsCVOPJSwJWdpU+1BeHL1GHfPtEc8ZvgNZPPGZHKcbcR0F/lvh1Hfj3DlL/wnqoxugECuhzOSX6uH7S0dVA78T0n4QOHGjfHtaqg8cRlmDLd9Epp1sNG56SdE3zse7hrZYuHM8XIyy1fERp4dTYQqenATJpIkeyKj2giMSXL1ZqW1JqWrf5P+iHtJR4YQ5L0l+tHxlzL2sMVtJWxM4Anp3HPlcwkPKPZjF0fUZfljngonRpyrVoV22Mtn0SHl/pEOxJTHxVlBSoiGSvknsddDPWZdVTQKg92rKAN8Bgv4RMBYcZIswVyV2psh3Nao2fmnZqKC9pin95aC1UmaK5oD+vXICi/jYMKc+qO2nzyu/JlEF/vb6u2DVLmZuRj0BA5KEYbCE/e8m9ELo635+Pv2qP3wiFA/P9G1/t7oQ=="	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CID\{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CID\{69006B00-6C00-6800-6400-390044007000}\1 = "1imbooJ2S32kh53K81PZoCawtTSc0rZP+CilR1QYEBFtjpl3NG566qCVKwkSRgKclOSgpMD1CvMuavK7ilywasy5QIyRPjeYanZGEFezQJ+wkE514/UCveSnxHPINlPCT2ZunBxbt+vdhZWfgD9aIQni9zoI93N0NNsubMwzfht3urLSlRuTxrjQs+UAOIwQ"	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CID\{41005900-6600-6700-5A00-6B0044003600}\1 = "7GTeXXjfHpFaArmUOxGdhFGD28tfF5mt6UlSTUpwUWrh9nlRHsCVOPJSwJWdpU+1BeHL1GHfPtEc8ZvgNZPPGZHKcbcR0F/lvh1Hfj3DlL/wnqoxugECuhzOSX6uH7S0dVA78T0n4QOHGjfHtaqg8cRlmDLd9Epp1sNG56SdE3zse7hrZYuHM8XIyy1fERp4dTYQqenATJpIkeyKj2giMSXL1ZqW1JqWrf5P+iHtJR4YQ5L0l+tHxlzL2sMVtJWxM4Anp3HPlcwkPKPZjF0fUZfljngonRpyrVoV22Mtn0SHl/pEOxJTHxVlBSoiGSvknsddDPWZdVTQKg92rKAN8Bgv4RMBYcZIswVyV2psh3Nao2fmnZqKC9pin95aC1UmaK5oD+vXICi/jYMKc+qO2nzyu/JlEF/vb6u2DVLmZuRj0BA5KEYbCE/e8m9ELo635+Pv2qP3wiFA/P9G1/t7oQ=="	Choromeupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CID\{69006B00-6C00-6800-6400-390044007000}\1 = "3xkjEtFfdc0t8jiup5JzgeS1cdQXFemf7+WeyJ4A1+/RaJHOlUXzsWuWebzddn2uETLskmfo+KGKnpabAyqAR09E+I5OkBp4UxvRqWZ9FmkO3cVDrcKMoyGCigy6JsIE0myycdRNvh4xH8paFgzS6lKe4pmqCDVgHgoAlPYGhP7f1K3aOfAAATjcCWgIWSbS"	Choromeupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CID\{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CID	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

NTFS ADS 12 IoCs

Processes:

Choromeupdate.exeb86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

description	ioc	process
File created	C:\Users\Admin\Documents\My Music:{69006B00-6C00-6800-6400-390044007000}	Choromeupdate.exe
File created	C:\Users\Admin\AppData\Local\Temp:{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\Users\Admin\Documents\My Music:{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\odt:{41005900-6600-6700-5A00-6B0044003600}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\Users\Admin\AppData\Roaming:{41005900-6600-6700-5A00-6B0044003600}	Choromeupdate.exe
File opened for modification	C:\odt:{41005900-6600-6700-5A00-6B0044003600}	Choromeupdate.exe
File created	C:\Users\Admin\AppData\Roaming:{69006B00-6C00-6800-6400-390044007000}	Choromeupdate.exe
File created	C:\Users\Admin\AppData\Local\Temp:{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\Users\Admin\Documents\My Music:{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\odt:{69006B00-6C00-6800-6400-390044007000}	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
File created	C:\Users\Admin\Documents\My Music:{41005900-6600-6700-5A00-6B0044003600}	Choromeupdate.exe
File opened for modification	C:\odt:{69006B00-6C00-6800-6400-390044007000}	Choromeupdate.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

pid	process
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exeChoromeupdate.exe

description	pid	process
Token: SeDebugPrivilege	3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
Token: SeDebugPrivilege	2536	Choromeupdate.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.execmd.execmd.exe

description	pid	process	target process
PID 3092 wrote to memory of 1872	3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 3092 wrote to memory of 1872	3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 3092 wrote to memory of 1872	3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 3092 wrote to memory of 2248	3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 3092 wrote to memory of 2248	3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 3092 wrote to memory of 2248	3092	b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe	cmd.exe
PID 1872 wrote to memory of 2728	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 2728	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 2728	1872	cmd.exe	schtasks.exe
PID 2248 wrote to memory of 2976	2248	cmd.exe	timeout.exe
PID 2248 wrote to memory of 2976	2248	cmd.exe	timeout.exe
PID 2248 wrote to memory of 2976	2248	cmd.exe	timeout.exe
PID 2248 wrote to memory of 2536	2248	cmd.exe	Choromeupdate.exe
PID 2248 wrote to memory of 2536	2248	cmd.exe	Choromeupdate.exe
PID 2248 wrote to memory of 2536	2248	cmd.exe	Choromeupdate.exe

C:\Users\Admin\AppData\Local\Temp\b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe
"C:\Users\Admin\AppData\Local\Temp\b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Choromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\Choromeupdate.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Choromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\Choromeupdate.exe"'
3⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp723D.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2976

C:\Users\Admin\AppData\Roaming\Choromeupdate.exe
"C:\Users\Admin\AppData\Roaming\Choromeupdate.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Isolated Storage\{69006B00-6C00-6800-6400-390044007000}
Filesize
384B

MD5
a14ab38c9a14ba45b0bf06c96a6f4df6

SHA1
6ca9fea3745d97405c4ff145fba5333b59bf4275

SHA256
78ffbd2689c6d726a52eedf530358140ac2b2a854defef12e91502e17dde3fb6

SHA512
a4ad2db866faa15c015ca9e45abdc1955ad1b4573ab17f1165edfe9c10bc11219cd1302f5597ae189b629db4968838d3e6f05d77140ccb0414faf66d86481d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp723D.tmp.bat
Filesize
157B

MD5
2bb1be16f17068082e786972167d8981

SHA1
4b1792accf5cac53b6f87fe1c9be211a1094e411

SHA256
905e80a5725a7b755b2e55d368a5a2dff3a49f3b796e103d63c535cdc99fdc39

SHA512
153bcfa9fad5ec55dd10ba84574f9cd0afd6a8f1e23cb3cddc97b2e273e2e5d50019a2040d2190699877b312228e9fb9be3f44fd69cb20ada99696a3efd85cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Choromeupdate.exe
Filesize
413KB

MD5
7e09977213008f9aedf2d632e12d6e07

SHA1
7faec1e3a1d3dee4e6d94177a2f9ddad14995230

SHA256
b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f

SHA512
0149d3c5c42086d965288c6e1ef064f2b5bc1a904088586a48c70f4c696d73736e5293522b0039e1a5228437f04f87dd729b4f6ce6c5502bcdb17cdfdf84a903

Download Submit
C:\Users\Admin\AppData\Roaming\Choromeupdate.exe
Filesize
413KB

MD5
7e09977213008f9aedf2d632e12d6e07

SHA1
7faec1e3a1d3dee4e6d94177a2f9ddad14995230

SHA256
b86dddd56825d0aada8294f4667d72b5019b99435db7f2706150e1288ece6f9f

SHA512
0149d3c5c42086d965288c6e1ef064f2b5bc1a904088586a48c70f4c696d73736e5293522b0039e1a5228437f04f87dd729b4f6ce6c5502bcdb17cdfdf84a903

Download Submit
C:\odt:{41005900-6600-6700-5A00-6B0044003600}
Filesize
472B

MD5
2ee0c4557682eeaeea9b2d2bbb84b512

SHA1
479e1cb64caffdd44fe7efe84bc5a0635e1122c6

SHA256
54af376128e71cdd3947c18eda318faeb94b905553a53c17665edfea77aad219

SHA512
517992d44fdf4df5531726f9cc4f69f244afe31e1904dd6ed0a260b6cd79496bec24fc817f1df459097d6ef19428462d3139ce175daad88cf0176a1a37281ad9

Download Submit
memory/1872-139-0x0000000000000000-mapping.dmp

Download
memory/2248-141-0x0000000000000000-mapping.dmp

Download
memory/2536-145-0x0000000000000000-mapping.dmp

Download
memory/2728-143-0x0000000000000000-mapping.dmp

Download
memory/2976-144-0x0000000000000000-mapping.dmp

Download
memory/3092-138-0x00000000089F0000-0x0000000008A8C000-memory.dmp

Filesize
624KB

Download
memory/3092-132-0x0000000000580000-0x00000000005EE000-memory.dmp

Filesize
440KB

Download
memory/3092-134-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/3092-135-0x0000000007F60000-0x0000000008578000-memory.dmp

Filesize
6.1MB

Download
memory/3092-137-0x0000000008580000-0x000000000864E000-memory.dmp

Filesize
824KB

Download
memory/3092-136-0x0000000007AF0000-0x0000000007B56000-memory.dmp

Filesize
408KB

Download
memory/3092-133-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads