asyncrat | f2ade3ae8bf5ba063e0c5911c2996bafa09de659b23bbd3014747e12a378724e

Analysis

max time kernel
70s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2023, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

service_updated.exe
Size

26KB
MD5

0ba94632c859dabbdeb1c68ebd7ca34d
SHA1

70f25b976fb529d4826d9560288560d7c3f5b63e
SHA256

f2ade3ae8bf5ba063e0c5911c2996bafa09de659b23bbd3014747e12a378724e
SHA512

be6889837f1556dfde6334ab3dd9245694d79a1495c4be86eecc0ba2695beeaaa4aebfd5fd9e27cdceea2a2e6a65e7624efce48c0ba92bc3f8550d5c914d5ef0
SSDEEP

384:IJJo2hYvWMUMGYZapeJiPRQMFWsXrMTW4g1CwL1CyDb+/cG7mljCD0m3HtnX:JEH1eJiJVXrM41v1C8bpCaCgm3HtX

Score

10^/10

asyncrat default evasion rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
10
install
true
install_file
csrss.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/3Z9zi18j

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/files/0x00010000000230e4-154.dat	asyncrat
behavioral2/files/0x00010000000230e4-225.dat	asyncrat
behavioral2/files/0x00010000000230e4-226.dat	asyncrat
behavioral2/memory/1368-227-0x00000000007B0000-0x00000000007C6000-memory.dmp	asyncrat
behavioral2/files/0x00040000000227ba-303.dat	asyncrat
behavioral2/files/0x00040000000227ba-304.dat	asyncrat

Downloads MZ/PE file

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3508	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	tmp8DD0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 4 IoCs

pid	Process
1208	tmp8DD0.exe
1368	csrss.exe
4792	Extreme Injector v3.exe
4144	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4388	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4280	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp8DD0.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1064	service_updated.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	service_updated.exe
Token: SeDebugPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: SeDebugPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: SeDebugPrivilege	1368	csrss.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: SeDebugPrivilege	4144	csrss.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	4792	Extreme Injector v3.exe
Token: 33	4792	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 3508	1064	service_updated.exe	88
PID 1064 wrote to memory of 3508	1064	service_updated.exe	88
PID 1064 wrote to memory of 1208	1064	service_updated.exe	89
PID 1064 wrote to memory of 1208	1064	service_updated.exe	89
PID 1064 wrote to memory of 1208	1064	service_updated.exe	89
PID 1208 wrote to memory of 1368	1208	tmp8DD0.exe	93
PID 1208 wrote to memory of 1368	1208	tmp8DD0.exe	93
PID 1208 wrote to memory of 4792	1208	tmp8DD0.exe	94
PID 1208 wrote to memory of 4792	1208	tmp8DD0.exe	94
PID 1368 wrote to memory of 4924	1368	csrss.exe	105
PID 1368 wrote to memory of 4924	1368	csrss.exe	105
PID 1368 wrote to memory of 4632	1368	csrss.exe	107
PID 1368 wrote to memory of 4632	1368	csrss.exe	107
PID 4924 wrote to memory of 4388	4924	cmd.exe	109
PID 4924 wrote to memory of 4388	4924	cmd.exe	109
PID 4632 wrote to memory of 4280	4632	cmd.exe	110
PID 4632 wrote to memory of 4280	4632	cmd.exe	110
PID 4632 wrote to memory of 4144	4632	cmd.exe	111
PID 4632 wrote to memory of 4144	4632	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\service_updated.exe
"C:\Users\Admin\AppData\Local\Temp\service_updated.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\system32\attrib.exe
  "C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3508
- C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\csrss.exe
    "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:4388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEF66.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4280
    - - C:\Users\Admin\AppData\Roaming\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffgnxet5.ake.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
63KB

MD5
4e8ed7a82d6919108934eaa3fcd3ed9f

SHA1
f74a1c9fc02c8374ec0ee68438ae309f1f61ff41

SHA256
c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364

SHA512
2fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
63KB

MD5
4e8ed7a82d6919108934eaa3fcd3ed9f

SHA1
f74a1c9fc02c8374ec0ee68438ae309f1f61ff41

SHA256
c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364

SHA512
2fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
63KB

MD5
4e8ed7a82d6919108934eaa3fcd3ed9f

SHA1
f74a1c9fc02c8374ec0ee68438ae309f1f61ff41

SHA256
c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364

SHA512
2fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe

Filesize
2.3MB

MD5
83a24ea1847f5cbb5508785abb5126ea

SHA1
63930e7171d1fc94fd4ec745392b3a1136cb0496

SHA256
246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268

SHA512
fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DD0.exe

Filesize
2.3MB

MD5
83a24ea1847f5cbb5508785abb5126ea

SHA1
63930e7171d1fc94fd4ec745392b3a1136cb0496

SHA256
246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268

SHA512
fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF66.tmp.bat

Filesize
149B

MD5
8ceb70f89d14aca842e8f6671fce5517

SHA1
e413e73baeb2b6d773fd783300b3707e999dce17

SHA256
edf1778306314abc5313341d9a9df37db793dc4cc56577857156a472bf67f05b

SHA512
99877f7c067f6835734fc97008df400a81f392a3080733550ba2a2bfc2ba2e86c4c274078f3855ff93c7d7eebd8f015b9447d064056837f766b10171ebbeda34

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
63KB

MD5
4e8ed7a82d6919108934eaa3fcd3ed9f

SHA1
f74a1c9fc02c8374ec0ee68438ae309f1f61ff41

SHA256
c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364

SHA512
2fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
63KB

MD5
4e8ed7a82d6919108934eaa3fcd3ed9f

SHA1
f74a1c9fc02c8374ec0ee68438ae309f1f61ff41

SHA256
c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364

SHA512
2fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad

Download Submit
memory/1064-133-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/1064-144-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/1064-143-0x0000000002860000-0x0000000002882000-memory.dmp

Filesize
136KB

Download
memory/1208-149-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download
memory/1368-227-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/4792-289-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-294-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-295-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-293-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-301-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-291-0x000000001EB10000-0x000000001EB4C000-memory.dmp

Filesize
240KB

Download
memory/4792-290-0x000000001C280000-0x000000001C292000-memory.dmp

Filesize
72KB

Download
memory/4792-288-0x0000000000370000-0x0000000000556000-memory.dmp

Filesize
1.9MB

Download
memory/4792-306-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-307-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-308-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/4792-309-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download