asyncrat | e728fc990c2e7926c775d4dedd4394c78e7d67cebc08b937ae8feec17be0ebeb

General

Target

5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
Size

225KB
MD5

d5bbe92d4a8b9014708e0aa325158e2b
SHA1

7dd6b0e60dbcc9207b5ef18daee9790f14c525d4
SHA256

5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4
SHA512

5bc381ea0bcce769ef7798a132e56ea6fdfb0526c11b531bed9ff1db4682d5e67c3a246fe0bff87d42f19b0e20933001f9eca0697feb6de0d6aec6a9aaf5004f
SSDEEP

6144:VeUOuccUzNkM0MU1QPvoj4DFBHLWEUuJJmfUGs70p8I:UUlcjJkrX1QPv/DbrWE5JlGs70pZ

Score

10^/10

asyncrat dnock rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Dnock

C2

dnuocc.com:3306

dnuocc.com:1452

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
crsi.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1056-58-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1056-60-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1056-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/304-81-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/304-83-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/304-84-0x0000000000950000-0x0000000000990000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

crsi.execrsi.exe

pid process

588 crsi.exe
304 crsi.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

832 cmd.exe

pid	process
588	crsi.exe
304	crsi.exe

pid	process
832	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.execrsi.exe

description	pid	process	target process
PID 1768 set thread context of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 588 set thread context of 304	588	crsi.exe	crsi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1524 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1720 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe

pid process

1056 5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe

pid	process
1524	schtasks.exe

pid	process
1720	timeout.exe

pid	process
1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.execrsi.execrsi.exe

description	pid	process
Token: SeDebugPrivilege	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
Token: SeDebugPrivilege	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
Token: SeDebugPrivilege	588	crsi.exe
Token: SeDebugPrivilege	304	crsi.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.execmd.execmd.execrsi.exe

description	pid	process	target process
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1768 wrote to memory of 1056	1768	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
PID 1056 wrote to memory of 1320	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1056 wrote to memory of 1320	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1056 wrote to memory of 1320	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1056 wrote to memory of 1320	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1056 wrote to memory of 832	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1056 wrote to memory of 832	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1056 wrote to memory of 832	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1056 wrote to memory of 832	1056	5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe	cmd.exe
PID 1320 wrote to memory of 1524	1320	cmd.exe	schtasks.exe
PID 1320 wrote to memory of 1524	1320	cmd.exe	schtasks.exe
PID 1320 wrote to memory of 1524	1320	cmd.exe	schtasks.exe
PID 1320 wrote to memory of 1524	1320	cmd.exe	schtasks.exe
PID 832 wrote to memory of 1720	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1720	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1720	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1720	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 588	832	cmd.exe	crsi.exe
PID 832 wrote to memory of 588	832	cmd.exe	crsi.exe
PID 832 wrote to memory of 588	832	cmd.exe	crsi.exe
PID 832 wrote to memory of 588	832	cmd.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe
PID 588 wrote to memory of 304	588	crsi.exe	crsi.exe

C:\Users\Admin\AppData\Local\Temp\5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
"C:\Users\Admin\AppData\Local\Temp\5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
  C:\Users\Admin\AppData\Local\Temp\5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\Admin\AppData\Roaming\crsi.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\Admin\AppData\Roaming\crsi.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp23E6.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1720
  - - C:\Users\Admin\AppData\Roaming\crsi.exe
      "C:\Users\Admin\AppData\Roaming\crsi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Users\Admin\AppData\Roaming\crsi.exe
        
        C:\Users\Admin\AppData\Roaming\crsi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp23E6.tmp.bat

Filesize
148B

MD5
61ca8bbe54b905f6f0d78c5ee9f772a6

SHA1
0c1f74b007761700d6598d474b2f7a8a43fed313

SHA256
6a8b96c73d715dc7baa4f7d513621f16b70df4e3196ed0dac995b88c64975111

SHA512
3966d6f075db0af7d841379f996e897e3b74a5e3916ba752d3d076fb1c0736a06973f762ceb596b9098a5cfc36bf218bbd5ecb2e5a96b7a46694eec3236b2ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23E6.tmp.bat

Filesize
148B

MD5
61ca8bbe54b905f6f0d78c5ee9f772a6

SHA1
0c1f74b007761700d6598d474b2f7a8a43fed313

SHA256
6a8b96c73d715dc7baa4f7d513621f16b70df4e3196ed0dac995b88c64975111

SHA512
3966d6f075db0af7d841379f996e897e3b74a5e3916ba752d3d076fb1c0736a06973f762ceb596b9098a5cfc36bf218bbd5ecb2e5a96b7a46694eec3236b2ade

Download Submit
C:\Users\Admin\AppData\Roaming\crsi.exe

Filesize
225KB

MD5
d5bbe92d4a8b9014708e0aa325158e2b

SHA1
7dd6b0e60dbcc9207b5ef18daee9790f14c525d4

SHA256
5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4

SHA512
5bc381ea0bcce769ef7798a132e56ea6fdfb0526c11b531bed9ff1db4682d5e67c3a246fe0bff87d42f19b0e20933001f9eca0697feb6de0d6aec6a9aaf5004f

Download Submit
C:\Users\Admin\AppData\Roaming\crsi.exe

Filesize
225KB

MD5
d5bbe92d4a8b9014708e0aa325158e2b

SHA1
7dd6b0e60dbcc9207b5ef18daee9790f14c525d4

SHA256
5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4

SHA512
5bc381ea0bcce769ef7798a132e56ea6fdfb0526c11b531bed9ff1db4682d5e67c3a246fe0bff87d42f19b0e20933001f9eca0697feb6de0d6aec6a9aaf5004f

Download Submit
C:\Users\Admin\AppData\Roaming\crsi.exe

Filesize
225KB

MD5
d5bbe92d4a8b9014708e0aa325158e2b

SHA1
7dd6b0e60dbcc9207b5ef18daee9790f14c525d4

SHA256
5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4

SHA512
5bc381ea0bcce769ef7798a132e56ea6fdfb0526c11b531bed9ff1db4682d5e67c3a246fe0bff87d42f19b0e20933001f9eca0697feb6de0d6aec6a9aaf5004f

Download Submit
\Users\Admin\AppData\Roaming\crsi.exe

Filesize
225KB

MD5
d5bbe92d4a8b9014708e0aa325158e2b

SHA1
7dd6b0e60dbcc9207b5ef18daee9790f14c525d4

SHA256
5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4

SHA512
5bc381ea0bcce769ef7798a132e56ea6fdfb0526c11b531bed9ff1db4682d5e67c3a246fe0bff87d42f19b0e20933001f9eca0697feb6de0d6aec6a9aaf5004f

Download Submit
memory/304-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/304-85-0x0000000000950000-0x0000000000990000-memory.dmp

Filesize
256KB

Download
memory/304-84-0x0000000000950000-0x0000000000990000-memory.dmp

Filesize
256KB

Download
memory/304-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/588-76-0x0000000000850000-0x000000000088E000-memory.dmp

Filesize
248KB

Download
memory/588-77-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/1056-63-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/1056-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1056-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1056-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1768-56-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1768-55-0x00000000003D0000-0x000000000040C000-memory.dmp

Filesize
240KB

Download
memory/1768-57-0x0000000006E40000-0x0000000006E80000-memory.dmp

Filesize
256KB

Download
memory/1768-54-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads