Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 17:01
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AsyncClient.exe
Resource
win10v2004-20230220-en
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
396113eb702441f9d4377425caa87188
-
SHA1
cdb100adec115eab8239f8d14da3ea3e64c1570c
-
SHA256
ec93adc0594e2c2fb8360d594d434bd5a217f2fb7d4184e086220fcae3886c9f
-
SHA512
daf3c73adbde89d21b4928a541712843d9423c355a74013ac222df3d08f763862f31e31a1e110d683d063f2ce7b208dd6c64d4665a4f088c001d68d0fcf1b34e
-
SSDEEP
768:LudbM1T1fzFPWUDCytmo2qIWKjGKG6PIyzjbFgX3i89bccImEpJp8Mf2uFd0BDZV:LudbM1T1b12qKYDy3bCXS8JcBTpJiuF4
Malware Config
Extracted
asyncrat
0.5.7B
COM Surrogate
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1604
127.0.0.1:14576
127.0.0.1:15074
127.0.0.1:15018
4.tcp.eu.ngrok.io:6606
4.tcp.eu.ngrok.io:7707
4.tcp.eu.ngrok.io:8808
4.tcp.eu.ngrok.io:1604
4.tcp.eu.ngrok.io:14576
4.tcp.eu.ngrok.io:15074
4.tcp.eu.ngrok.io:15018
7.tcp.eu.ngrok.io:6606
7.tcp.eu.ngrok.io:7707
7.tcp.eu.ngrok.io:8808
7.tcp.eu.ngrok.io:1604
7.tcp.eu.ngrok.io:14576
7.tcp.eu.ngrok.io:15074
7.tcp.eu.ngrok.io:15018
6.tcp.eu.ngrok.io:6606
6.tcp.eu.ngrok.io:7707
6.tcp.eu.ngrok.io:8808
6.tcp.eu.ngrok.io:1604
6.tcp.eu.ngrok.io:14576
6.tcp.eu.ngrok.io:15074
6.tcp.eu.ngrok.io:15018
COM Surrogate
-
delay
3
-
install
true
-
install_file
Microsoftfixer.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3232-133-0x00000000004D0000-0x00000000004E2000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe asyncrat C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AsyncClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
Processes:
Microsoftfixer.exepid process 3040 Microsoftfixer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 832 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AsyncClient.exetaskmgr.exepid process 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 3232 AsyncClient.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
AsyncClient.exeMicrosoftfixer.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3232 AsyncClient.exe Token: SeDebugPrivilege 3040 Microsoftfixer.exe Token: SeDebugPrivilege 3040 Microsoftfixer.exe Token: SeDebugPrivilege 4736 taskmgr.exe Token: SeSystemProfilePrivilege 4736 taskmgr.exe Token: SeCreateGlobalPrivilege 4736 taskmgr.exe Token: 33 4736 taskmgr.exe Token: SeIncBasePriorityPrivilege 4736 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe 4736 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
AsyncClient.execmd.execmd.exedescription pid process target process PID 3232 wrote to memory of 3660 3232 AsyncClient.exe cmd.exe PID 3232 wrote to memory of 3660 3232 AsyncClient.exe cmd.exe PID 3232 wrote to memory of 3660 3232 AsyncClient.exe cmd.exe PID 3232 wrote to memory of 2708 3232 AsyncClient.exe cmd.exe PID 3232 wrote to memory of 2708 3232 AsyncClient.exe cmd.exe PID 3232 wrote to memory of 2708 3232 AsyncClient.exe cmd.exe PID 3660 wrote to memory of 3648 3660 cmd.exe schtasks.exe PID 3660 wrote to memory of 3648 3660 cmd.exe schtasks.exe PID 3660 wrote to memory of 3648 3660 cmd.exe schtasks.exe PID 2708 wrote to memory of 832 2708 cmd.exe timeout.exe PID 2708 wrote to memory of 832 2708 cmd.exe timeout.exe PID 2708 wrote to memory of 832 2708 cmd.exe timeout.exe PID 2708 wrote to memory of 3040 2708 cmd.exe Microsoftfixer.exe PID 2708 wrote to memory of 3040 2708 cmd.exe Microsoftfixer.exe PID 2708 wrote to memory of 3040 2708 cmd.exe Microsoftfixer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoftfixer" /tr '"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Microsoftfixer" /tr '"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C18.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8C18.tmp.batFilesize
158B
MD5273397521d7406c3561ced843ae0567b
SHA1ca2aa3772d547ca5d4952e79c15de7177b1f1bfe
SHA256ff788db8dc741680b44a5b747ae420395d5cb5a84ff2c609a8bcca57acbde3cb
SHA512f6aefd865451d03ca3f436e7d4096333c5f4ff5894c27c6420edd22696f109309b2d11cd61ad3bec5d9df1dbfe80c4d780dcf52073b6cc6e9d3b3ac9d1b7f924
-
C:\Users\Admin\AppData\Roaming\Microsoftfixer.exeFilesize
45KB
MD5396113eb702441f9d4377425caa87188
SHA1cdb100adec115eab8239f8d14da3ea3e64c1570c
SHA256ec93adc0594e2c2fb8360d594d434bd5a217f2fb7d4184e086220fcae3886c9f
SHA512daf3c73adbde89d21b4928a541712843d9423c355a74013ac222df3d08f763862f31e31a1e110d683d063f2ce7b208dd6c64d4665a4f088c001d68d0fcf1b34e
-
C:\Users\Admin\AppData\Roaming\Microsoftfixer.exeFilesize
45KB
MD5396113eb702441f9d4377425caa87188
SHA1cdb100adec115eab8239f8d14da3ea3e64c1570c
SHA256ec93adc0594e2c2fb8360d594d434bd5a217f2fb7d4184e086220fcae3886c9f
SHA512daf3c73adbde89d21b4928a541712843d9423c355a74013ac222df3d08f763862f31e31a1e110d683d063f2ce7b208dd6c64d4665a4f088c001d68d0fcf1b34e
-
memory/3040-146-0x0000000004F40000-0x0000000004F50000-memory.dmpFilesize
64KB
-
memory/3040-145-0x0000000004F40000-0x0000000004F50000-memory.dmpFilesize
64KB
-
memory/3232-136-0x00000000053C0000-0x000000000545C000-memory.dmpFilesize
624KB
-
memory/3232-135-0x0000000004F30000-0x0000000004F96000-memory.dmpFilesize
408KB
-
memory/3232-134-0x0000000004EB0000-0x0000000004EC0000-memory.dmpFilesize
64KB
-
memory/3232-133-0x00000000004D0000-0x00000000004E2000-memory.dmpFilesize
72KB
-
memory/4736-148-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-147-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-149-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-153-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-154-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-155-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-156-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-157-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-158-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB
-
memory/4736-159-0x0000028C2F270000-0x0000028C2F271000-memory.dmpFilesize
4KB