Analysis
-
max time kernel
85s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/04/2023, 18:44
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20230220-en
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
dcfb73959b8a575a7f5765bb0723a861
-
SHA1
b9757ac469bc18714e7c138094bd461707ff80c5
-
SHA256
afbe39d83050f54ca4cdaca312b52475f70389dd7f906653c5869f4db914c85a
-
SHA512
c2f4a52227ae66263266c41d7cd5823c0ded669fddec194b1c5f47d8be95851dd359da887a60f9d8a7e7a63f17f4e95e24e4ea7a1ee087925a7bbdad04f43090
-
SSDEEP
768:3uyRNTAoZjRWUJs9bmo2qL7KjGKG6PIyzjbFgX3i+ETtzcHmjBEgmyBDZzx:3uyRNTAGo2WKYDy3bCXS+camjBndzx
Malware Config
Extracted
asyncrat
0.5.7B
Default
181.ip.ply.gg:5050
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2036-54-0x00000000010A0000-0x00000000010B2000-memory.dmp asyncrat behavioral1/files/0x000b0000000122df-66.dat asyncrat behavioral1/files/0x000b0000000122df-65.dat asyncrat behavioral1/files/0x000b0000000122df-67.dat asyncrat behavioral1/memory/1388-68-0x00000000003D0000-0x00000000003E2000-memory.dmp asyncrat behavioral1/memory/1388-69-0x0000000004D70000-0x0000000004DB0000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1388 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 668 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 992 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2008 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2036 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2036 AsyncClient.exe Token: SeDebugPrivilege 1388 svchost.exe Token: 33 280 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 280 AUDIODG.EXE Token: 33 280 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 280 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2036 wrote to memory of 468 2036 AsyncClient.exe 28 PID 2036 wrote to memory of 468 2036 AsyncClient.exe 28 PID 2036 wrote to memory of 468 2036 AsyncClient.exe 28 PID 2036 wrote to memory of 468 2036 AsyncClient.exe 28 PID 2036 wrote to memory of 668 2036 AsyncClient.exe 30 PID 2036 wrote to memory of 668 2036 AsyncClient.exe 30 PID 2036 wrote to memory of 668 2036 AsyncClient.exe 30 PID 2036 wrote to memory of 668 2036 AsyncClient.exe 30 PID 468 wrote to memory of 992 468 cmd.exe 33 PID 468 wrote to memory of 992 468 cmd.exe 33 PID 468 wrote to memory of 992 468 cmd.exe 33 PID 468 wrote to memory of 992 468 cmd.exe 33 PID 668 wrote to memory of 2008 668 cmd.exe 32 PID 668 wrote to memory of 2008 668 cmd.exe 32 PID 668 wrote to memory of 2008 668 cmd.exe 32 PID 668 wrote to memory of 2008 668 cmd.exe 32 PID 668 wrote to memory of 1388 668 cmd.exe 34 PID 668 wrote to memory of 1388 668 cmd.exe 34 PID 668 wrote to memory of 1388 668 cmd.exe 34 PID 668 wrote to memory of 1388 668 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D61.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2008
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4881⤵
- Suspicious use of AdjustPrivilegeToken
PID:280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD570369098f2268d004590a27073230e35
SHA1396210dc2268c06145aa1b29ecb61e43d18284b7
SHA256b8d8d7a0bdf51fd783955f27a13ab994d20a9a3f1910a0dd7b61b27312060ccd
SHA512071484875da067cde8f6879ff2d073a6347e2365e400b07771a4bf1672d9f3fe9f5b459aeeb790b1a26336fd84679b122487769d449115bfc932e022bfdbbf74
-
Filesize
151B
MD570369098f2268d004590a27073230e35
SHA1396210dc2268c06145aa1b29ecb61e43d18284b7
SHA256b8d8d7a0bdf51fd783955f27a13ab994d20a9a3f1910a0dd7b61b27312060ccd
SHA512071484875da067cde8f6879ff2d073a6347e2365e400b07771a4bf1672d9f3fe9f5b459aeeb790b1a26336fd84679b122487769d449115bfc932e022bfdbbf74
-
Filesize
45KB
MD5dcfb73959b8a575a7f5765bb0723a861
SHA1b9757ac469bc18714e7c138094bd461707ff80c5
SHA256afbe39d83050f54ca4cdaca312b52475f70389dd7f906653c5869f4db914c85a
SHA512c2f4a52227ae66263266c41d7cd5823c0ded669fddec194b1c5f47d8be95851dd359da887a60f9d8a7e7a63f17f4e95e24e4ea7a1ee087925a7bbdad04f43090
-
Filesize
45KB
MD5dcfb73959b8a575a7f5765bb0723a861
SHA1b9757ac469bc18714e7c138094bd461707ff80c5
SHA256afbe39d83050f54ca4cdaca312b52475f70389dd7f906653c5869f4db914c85a
SHA512c2f4a52227ae66263266c41d7cd5823c0ded669fddec194b1c5f47d8be95851dd359da887a60f9d8a7e7a63f17f4e95e24e4ea7a1ee087925a7bbdad04f43090
-
Filesize
45KB
MD5dcfb73959b8a575a7f5765bb0723a861
SHA1b9757ac469bc18714e7c138094bd461707ff80c5
SHA256afbe39d83050f54ca4cdaca312b52475f70389dd7f906653c5869f4db914c85a
SHA512c2f4a52227ae66263266c41d7cd5823c0ded669fddec194b1c5f47d8be95851dd359da887a60f9d8a7e7a63f17f4e95e24e4ea7a1ee087925a7bbdad04f43090